<!doctype html><html lang="en"><head><script defer src="https://cdn.optimizely.com/js/16180790160.js"></script><title data-rh="true">Linux Threat Hunting Primer — Part II | by VerintCyberSec | Verint Cyber Engineering | Medium</title><meta data-rh="true" charset="utf-8"/><meta data-rh="true" name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1"/><meta data-rh="true" name="theme-color" content="#000000"/><meta data-rh="true" name="twitter:app:name:iphone" content="Medium"/><meta data-rh="true" name="twitter:app:id:iphone" content="828256236"/><meta data-rh="true" property="al:ios:app_name" content="Medium"/><meta data-rh="true" property="al:ios:app_store_id" content="828256236"/><meta data-rh="true" property="al:android:package" content="com.medium.reader"/><meta data-rh="true" property="fb:app_id" content="542599432471018"/><meta data-rh="true" property="og:site_name" content="Medium"/><meta data-rh="true" property="og:type" content="article"/><meta data-rh="true" property="article:published_time" content="2020-01-05T12:01:01.944Z"/><meta data-rh="true" name="title" content="Linux Threat Hunting Primer — Part II | by VerintCyberSec | Verint Cyber Engineering | Medium"/><meta data-rh="true" property="og:title" content="Linux Threat Hunting Primer — Part II"/><meta data-rh="true" property="twitter:title" content="Linux Threat Hunting Primer — Part II"/><meta data-rh="true" name="twitter:site" content="@verint_cyber"/><meta data-rh="true" name="twitter:app:url:iphone" content="medium://p/69484f58ac92"/><meta data-rh="true" property="al:android:url" content="medium://p/69484f58ac92"/><meta data-rh="true" property="al:ios:url" content="medium://p/69484f58ac92"/><meta data-rh="true" property="al:android:app_name" content="Medium"/><meta data-rh="true" name="description" content="In the previous post “Linux Threat Hunting Primer — Part 1” , we discussed how to start the threat hunting process and reviewed the statistical distribution of the Linux tactics and techniques. We…"/><meta data-rh="true" property="og:description" content="A full threat hunting process on one MITRE ATT&amp;CK technique"/><meta data-rh="true" property="twitter:description" content="A full threat hunting process on one MITRE ATT&amp;CK technique"/><meta data-rh="true" property="og:url" content="https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92"/><meta data-rh="true" property="al:web:url" content="https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92"/><meta data-rh="true" property="og:image" content="https://miro.medium.com/max/432/1*SDKkLzsh8ofgYCuFDj1gBQ.png"/><meta data-rh="true" name="twitter:image:src" content="https://miro.medium.com/max/432/1*SDKkLzsh8ofgYCuFDj1gBQ.png"/><meta data-rh="true" name="twitter:card" content="summary_large_image"/><meta data-rh="true" property="article:author" content="https://medium.com/@VerintCyberSec"/><meta data-rh="true" name="author" content="VerintCyberSec"/><meta data-rh="true" name="robots" content="index,follow,max-image-preview:large"/><meta data-rh="true" name="referrer" content="unsafe-url"/><meta data-rh="true" name="twitter:label1" content="Reading time"/><meta data-rh="true" name="twitter:data1" content="10 min read"/><link data-rh="true" rel="search" type="application/opensearchdescription+xml" title="Medium" href="/osd.xml"/><link data-rh="true" rel="apple-touch-icon" sizes="152x152" href="https://miro.medium.com/fit/c/152/152/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="120x120" href="https://miro.medium.com/fit/c/120/120/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="76x76" href="https://miro.medium.com/fit/c/76/76/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="60x60" href="https://miro.medium.com/fit/c/60/60/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="mask-icon" href="https://cdn-static-1.medium.com/_/fp/icons/Medium-Avatar-500x500.svg" color="#171717"/><link data-rh="true" rel="preconnect" href="https://glyph.medium.com" crossOrigin=""/><link data-rh="true" rel="preconnect" href="https://logx.optimizely.com"/><link data-rh="true" id="glyph_preload_link" rel="preload" as="style" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" id="glyph_link" rel="stylesheet" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" rel="author" href="https://medium.com/@VerintCyberSec"/><link data-rh="true" rel="canonical" href="https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92"/><link data-rh="true" rel="alternate" href="android-app://com.medium.reader/https/medium.com/p/69484f58ac92"/><link data-rh="true" rel="icon" href="https://miro.medium.com/1*m-R_BkNf1Qjr1YbyOIJY2w.png"/><script data-rh="true" type="application/ld+json">{"@context":"http:\u002F\u002Fschema.org","@type":"NewsArticle","image":["https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F1200\u002F1*SDKkLzsh8ofgYCuFDj1gBQ.png"],"url":"https:\u002F\u002Fmedium.com\u002Fverint-cyber-engineering\u002Flinux-threat-hunting-primer-part-ii-69484f58ac92","dateCreated":"2020-01-05T12:01:01.944Z","datePublished":"2020-01-05T12:01:01.944Z","dateModified":"2021-12-13T04:16:19.372Z","headline":"Linux Threat Hunting Primer — Part II - Verint Cyber Engineering - Medium","name":"Linux Threat Hunting Primer — Part II - Verint Cyber Engineering - Medium","description":"In the previous post “Linux Threat Hunting Primer — Part 1” , we discussed how to start the threat hunting process and reviewed the statistical distribution of the Linux tactics and techniques. We…","identifier":"69484f58ac92","author":{"@type":"Person","name":"VerintCyberSec","url":"https:\u002F\u002Fmedium.com\u002F@VerintCyberSec"},"creator":["VerintCyberSec"],"publisher":{"@type":"Organization","name":"Verint Cyber Engineering","url":"https:\u002F\u002Fmedium.com\u002Fverint-cyber-engineering","logo":{"@type":"ImageObject","width":308,"height":60,"url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F616\u002F1*OMF3fSqH8t4xBJ9-6oZDZw.png"}},"mainEntityOfPage":"https:\u002F\u002Fmedium.com\u002Fverint-cyber-engineering\u002Flinux-threat-hunting-primer-part-ii-69484f58ac92"}</script><link rel="preload" href="https://cdn.optimizely.com/js/16180790160.js" as="script"><style type="text/css" data-fela-rehydration="526" data-fela-type="STATIC">html{box-sizing:border-box}*, *:before, *:after{box-sizing:inherit}body{margin:0;padding:0;text-rendering:optimizeLegibility;-webkit-font-smoothing:antialiased;color:rgba(0,0,0,0.8);position:relative;min-height:100vh}h1, h2, h3, h4, h5, h6, dl, dd, ol, ul, menu, figure, blockquote, p, pre, form{margin:0}menu, ol, ul{padding:0;list-style:none;list-style-image:none}main{display:block}a{color:inherit;text-decoration:none}a, button, input{-webkit-tap-highlight-color:transparent}img, svg{vertical-align:middle}button{background:transparent;overflow:visible}button, input, optgroup, select, textarea{margin:0}:root{--reach-tabs:1;--reach-menu-button:1}#speechify-root{font-family:Sohne, sans-serif}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="KEYFRAME">@-webkit-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@-moz-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE">.a{font-family:medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif}.b{font-weight:400}.c{background-color:rgba(255, 255, 255, 1)}.l{height:100vh}.m{width:100vw}.n{display:flex}.o{align-items:center}.p{justify-content:center}.q{height:25px}.r{fill:rgba(41, 41, 41, 1)}.s{display:block}.t{position:absolute}.u{top:0}.v{left:0}.w{right:0}.x{z-index:500}.y{box-shadow:0 4px 12px 0 rgba(0, 0, 0, 0.05)}.ab{background-color:rgba(0, 0, 0, 1)}.ai{max-width:1192px}.aj{min-width:0}.ak{width:100%}.al{height:65px}.ao{flex:1 0 auto}.ap{fill:rgba(217, 214, 214, 1)}.aq{border-left:1px solid rgba(111, 109, 109, 1)}.ar{margin-left:15px}.as{margin-right:14px}.at{height:24px}.au{width:1px}.av{font-family:sohne, "Helvetica Neue", Helvetica, Arial, sans-serif}.aw{font-weight:500}.ax{font-size:22px}.ay{line-height:28px}.az{overflow:hidden}.ba{max-height:28px}.bb{text-overflow:ellipsis}.bc{display:-webkit-box}.bd{-webkit-line-clamp:1}.be{-webkit-box-orient:vertical}.bg{letter-spacing:0}.bh{color:rgba(227, 224, 224, 1)}.bi{flex:0 0 auto}.bj{border-top:none}.bk{display:none}.bm{height:54px}.bn{margin-right:40px}.bo{font-size:20px}.bp{line-height:24px}.bq{max-height:24px}.br{overflow:auto}.bs{flex:0 1 auto}.bt{list-style-type:none}.bu{margin:0}.bv{line-height:40px}.bw{white-space:nowrap}.bx{overflow-x:auto}.by{align-items:flex-start}.bz{margin-top:20px}.ca{padding-top:20px}.cb{height:80px}.cc{margin-bottom:0px}.cd{margin-top:0px}.cl{margin-left:auto}.cm{margin-right:auto}.cn{max-width:728px}.co{box-sizing:border-box}.cp{background:rgba(255, 255, 255, 1)}.cq{border:1px solid rgba(230, 230, 230, 1)}.cr{border-radius:4px}.cs{box-shadow:0 1px 4px rgba(230, 230, 230, 1)}.ct{max-height:100vh}.cu{overflow-y:auto}.cv{top:calc(100vh + 100px)}.cw{bottom:calc(100vh + 100px)}.cx{width:10px}.cy{pointer-events:none}.cz{word-break:break-word}.da{word-wrap:break-word}.db:after{display:block}.dc:after{content:""}.dd:after{clear:both}.de{max-width:680px}.df{line-height:1.23}.dg{font-style:normal}.dh{font-family:fell, Georgia, Cambria, "Times New Roman", Times, serif}.ec{margin-bottom:-0.27em}.ed{color:rgba(41, 41, 41, 1)}.ee{margin-top:32px}.ef{justify-content:space-between}.ej{border-radius:50%}.ek{height:48px}.el{width:48px}.em{margin-left:8px}.en{font-size:14px}.eo{line-height:20px}.ep{margin-bottom:2px}.er{max-height:20px}.es{color:inherit}.et{fill:inherit}.eu{font-size:inherit}.ev{border:inherit}.ew{font-family:inherit}.ex{letter-spacing:inherit}.ey{font-weight:inherit}.ez{padding:0}.fc:disabled{cursor:default}.fd:disabled{color:rgba(117, 117, 117, 1)}.fe:disabled{fill:rgba(117, 117, 117, 1)}.ff{font-size:13px}.fg{color:rgba(255, 255, 255, 1)}.fh{padding:0px 8px 1px}.fi{fill:rgba(255, 255, 255, 1)}.fj{background:rgba(134, 132, 132, 1)}.fk{border-color:rgba(134, 132, 132, 1)}.fn:disabled{cursor:inherit !important}.fo:disabled{opacity:0.3}.fp:disabled:hover{background:rgba(134, 132, 132, 1)}.fq:disabled:hover{border-color:rgba(134, 132, 132, 1)}.fr{border-radius:99em}.fs{border-width:1px}.ft{border-style:solid}.fu{display:inline-block}.fv{text-decoration:none}.fw{margin-left:4px}.fx{stroke:rgba(242, 242, 242, 1)}.fy{height:23px}.fz{width:23px}.gc{color:rgba(242, 242, 242, 1)}.gd{fill:rgba(242, 242, 242, 1)}.ge{background:rgba(242, 242, 242, 1)}.gf{border-color:rgba(242, 242, 242, 1)}.gl{color:rgba(117, 117, 117, 1)}.gm{align-items:flex-end}.gu{padding-right:1px}.gv{fill:rgba(117, 117, 117, 1)}.gw path{fill:rgba(8, 8, 8, 1)}.gx{margin:0 6px 0 7px}.gy{line-height:1.58}.gz{letter-spacing:-0.004em}.ha{font-family:charter, Georgia, Cambria, "Times New Roman", Times, serif}.hv{margin-bottom:-0.46em}.hw{text-decoration:underline}.hx{font-style:italic}.hy{line-height:1.12}.hz{letter-spacing:-0.022em}.is{margin-bottom:-0.28em}.it{line-height:1.18}.jj{margin-bottom:-0.31em}.jp{list-style-type:decimal}.jq{margin-left:30px}.jr{padding-left:0px}.jx{box-shadow:inset 3px 0 0 0 rgba(41, 41, 41, 1)}.jy{padding-left:23px}.jz{margin-left:-20px}.ka{max-width:397px}.kg{clear:both}.kh{opacity:0}.ki{transition:opacity 100ms 400ms}.kj{height:100%}.kk{will-change:transform}.kl{transform:translateZ(0)}.km{margin:auto}.kn{position:relative}.ko{background-color:rgba(242, 242, 242, 1)}.kp{padding-bottom:17.632241813602015%}.kq{height:0}.kr{filter:blur(20px)}.ks{transform:scale(1.1)}.kt{visibility:visible}.ku{margin-top:10px}.kv{text-align:center}.ky{max-width:447px}.kz{padding-bottom:8.724832214765101%}.la{max-width:200px}.lb{padding-bottom:12.5%}.lc{max-width:607px}.ld{padding-bottom:13.179571663920923%}.le{list-style-type:disc}.lf{max-width:473px}.lg{padding-bottom:71.03594080338266%}.lh{margin-bottom:14px}.li{padding-top:24px}.lj{padding-bottom:10px}.lk{background-color:rgba(8, 8, 8, 1)}.ll{height:3px}.lm{width:3px}.ln{margin-right:20px}.lo{max-width:353px}.lp{border-width:2px}.lq{border-color:rgba(255, 255, 255, 1)}.lr{float:left}.ls{margin-left:-150px}.lt{margin-right:30px}.lu{width:75%}.lz{margin-bottom:16px}.ma{max-width:100%}.mb{height:auto}.mc{max-width:348px}.md{font-style:inherit}.mm{max-width:1700px}.mn{padding-bottom:5px}.mo{padding-top:5px}.mq{cursor:zoom-in}.mr{z-index:auto}.mt{max-width:1215px}.mu{max-width:428px}.mv{max-width:426px}.mw{max-width:432px}.mx{padding-bottom:70.60185185185186%}.my{max-width:427px}.mz{max-width:1279px}.na{padding-bottom:100%}.nb{max-width:542px}.nc{padding-bottom:60.14760147601476%}.nd{will-change:opacity}.ne{position:fixed}.nf{width:188px}.ng{left:50%}.nh{transform:translateX(406px)}.ni{top:calc(65px + 54px + 14px)}.nl{will-change:opacity, transform}.nm{transform:translateY(159px)}.no{width:197px}.np{flex-direction:column}.nq{font-size:16px}.nr{margin-bottom:20px}.ns{padding-bottom:20px}.nt{padding-top:2px}.nu{max-height:120px}.nv{-webkit-line-clamp:6}.nw{padding-top:32px}.nx{border-top:1px solid rgba(230, 230, 230, 1)}.ny{flex-direction:row}.nz{justify-content:space-evenly}.of{-webkit-user-select:none}.og{outline:0}.oh{border:0}.oi{user-select:none}.oj{cursor:pointer}.ok> svg{pointer-events:none}.ov button{text-align:left}.ow{margin-top:2px}.ox{fill:rgba(61, 61, 61, 1)}.oy{opacity:1}.oz{margin-top:1px}.pa{margin-top:40px}.pb{flex-wrap:wrap}.pc{margin-top:25px}.pd{margin-right:8px}.pe{margin-bottom:8px}.pf{line-height:22px}.pg{border-radius:3px}.ph{padding:5px 10px}.pi{max-width:155px}.pp{top:1px}.ps{margin-left:24px}.pt{margin-top:4px}.pu{margin-bottom:25px}.pw{margin-bottom:32px}.px{min-height:80px}.qc{width:80px}.qd{padding-left:102px}.qe{margin-bottom:6px}.qg{max-width:550px}.qh{max-width:450px}.qj{margin-top:5px}.qk{height:40px}.ql{width:40px}.qm{margin-left:12px}.qn{font-size:12px}.qo{line-height:16px}.qp{letter-spacing:0.083em}.qq{text-transform:uppercase}.qr{padding-top:8px}.qs{margin-bottom:40px}.qt{margin-top:24px}.qu{padding-bottom:16px}.qv{border-bottom:1px solid rgba(230, 230, 230, 1)}.qw{margin-bottom:24px}.sg{flex-grow:0}.sh{padding-bottom:24px}.si{max-width:500px}.sk{padding-bottom:8px}.fa:hover{cursor:pointer}.fb:hover{text-decoration:underline}.fl:hover{background:rgba(115, 113, 113, 1)}.fm:hover{border-color:rgba(115, 113, 113, 1)}.ga:hover{color:rgba(25, 25, 25, 1)}.gb:hover{fill:rgba(25, 25, 25, 1)}.gg:hover{background:rgba(242, 242, 242, 1)}.gh:hover{border-color:rgba(242, 242, 242, 1)}.gi:hover{cursor:wait}.gj:hover{color:rgba(242, 242, 242, 1)}.gk:hover{fill:rgba(242, 242, 242, 1)}.on:hover{fill:rgba(117, 117, 117, 1)}.ms:focus{transform:scale(1.01)}.om:focus{fill:rgba(117, 117, 117, 1)}.ol:active{border-style:none}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (min-width: 1080px)">.d{display:none}.ah{margin:0 64px}.ck{padding:0 16px}.dy{font-size:48px}.dz{margin-top:0.55em}.ea{line-height:60px}.eb{letter-spacing:-0.011em}.gt{margin-left:30px}.hr{font-size:21px}.hs{margin-top:2em}.ht{line-height:32px}.hu{letter-spacing:-0.003em}.io{font-size:30px}.ip{margin-top:1.95em}.iq{line-height:36px}.ir{letter-spacing:0}.jg{font-size:22px}.jh{margin-top:1.72em}.ji{line-height:28px}.jo{margin-top:0.86em}.jw{margin-top:1.05em}.kf{margin-top:56px}.ml{max-width:1192px}.oe{margin-right:5px}.ou{margin-top:0px}.po{margin-top:5px}.pr{display:inline-block}.rl{width:calc(100% + 32px)}.rm{margin-left:-16px}.rn{margin-right:-16px}.sc{padding-left:16px}.sd{padding-right:16px}.se{flex-basis:25%}.sf{max-width:25%}.st{font-size:16px}.su{line-height:20px}.tf{min-width:70px}.tg{min-height:70px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 1079.98px)">.e{display:none}.gs{margin-left:30px}.kw{margin-left:auto}.kx{text-align:center}.lv{float:none}.lw{margin-left:0}.lx{margin-right:0}.ly{width:100%}.ot{margin-top:0px}.pn{margin-top:5px}.pq{display:inline-block}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 903.98px)">.f{display:none}.gr{margin-left:30px}.os{margin-top:0px}.pl{display:inline-block}.pm{margin-top:5px}.sj{margin-right:16px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 727.98px)">.g{display:none}.am{height:56px}.an{display:flex}.bl{display:block}.ce{margin-bottom:0px}.cf{height:110px}.eh{margin-top:32px}.ei{flex-direction:column-reverse}.gp{margin-bottom:30px}.gq{margin-left:0px}.oq{margin-top:2px}.or{margin-right:16px}.pk{display:inline-block}.pv{padding-top:0}.py{margin-bottom:24px}.pz{align-items:center}.qa{width:102px}.qb{position:relative}.qf{padding-left:0}.qi{margin-top:24px}.qx{padding-bottom:12px}.qy{margin-top:16px}.sv{margin-left:16px}.sw{margin-right:0px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 551.98px)">.h{display:none}.ac{margin:0 24px}.cg{padding:0 8px 24px 8px}.di{font-size:34px}.dj{margin-top:0.56em}.dk{line-height:42px}.dl{letter-spacing:-0.016em}.eg{margin-top:32px}.eq{margin-bottom:0px}.gn{margin-bottom:30px}.go{margin-left:0px}.hb{font-size:18px}.hc{margin-top:1.56em}.hd{line-height:28px}.he{letter-spacing:-0.003em}.ia{font-size:22px}.ib{margin-top:1.2em}.ic{letter-spacing:0}.iu{font-size:20px}.iv{margin-top:1.23em}.iw{line-height:24px}.jk{margin-top:0.67em}.js{margin-top:1.34em}.kb{margin-top:40px}.me{margin:0}.mf{max-width:100%}.oa{margin-left:8px}.oo{margin-top:2px}.op{margin-right:16px}.pj{display:inline-block}.qz{width:calc(100% + 24px)}.ra{margin-left:-12px}.rb{margin-right:-12px}.ro{padding-left:12px}.rp{padding-right:12px}.rq{flex-basis:100%}.sl{font-size:16px}.sm{line-height:20px}.sx{min-width:48px}.sy{min-height:48px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (min-width: 904px) and (max-width: 1079.98px)">.i{display:none}.ag{margin:0 64px}.cj{padding:0 16px}.du{font-size:48px}.dv{margin-top:0.55em}.dw{line-height:60px}.dx{letter-spacing:-0.011em}.hn{font-size:21px}.ho{margin-top:2em}.hp{line-height:32px}.hq{letter-spacing:-0.003em}.ik{font-size:30px}.il{margin-top:1.95em}.im{line-height:36px}.in{letter-spacing:0}.jd{font-size:22px}.je{margin-top:1.72em}.jf{line-height:28px}.jn{margin-top:0.86em}.jv{margin-top:1.05em}.ke{margin-top:56px}.mk{max-width:1192px}.od{margin-right:5px}.ri{width:calc(100% + 32px)}.rj{margin-left:-16px}.rk{margin-right:-16px}.ry{padding-left:16px}.rz{padding-right:16px}.sa{flex-basis:25%}.sb{max-width:25%}.sr{font-size:16px}.ss{line-height:20px}.td{min-width:70px}.te{min-height:70px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (min-width: 728px) and (max-width: 903.98px)">.j{display:none}.af{margin:0 48px}.ci{padding:0 16px}.dq{font-size:48px}.dr{margin-top:0.55em}.ds{line-height:60px}.dt{letter-spacing:-0.011em}.hj{font-size:21px}.hk{margin-top:2em}.hl{line-height:32px}.hm{letter-spacing:-0.003em}.ig{font-size:30px}.ih{margin-top:1.95em}.ii{line-height:36px}.ij{letter-spacing:0}.ja{font-size:22px}.jb{margin-top:1.72em}.jc{line-height:28px}.jm{margin-top:0.86em}.ju{margin-top:1.05em}.kd{margin-top:56px}.mi{margin:0}.mj{max-width:100%}.oc{margin-right:5px}.rf{width:calc(100% + 28px)}.rg{margin-left:-14px}.rh{margin-right:-14px}.ru{padding-left:14px}.rv{padding-right:14px}.rw{flex-basis:50%}.rx{max-width:50%}.sp{font-size:16px}.sq{line-height:20px}.tb{min-width:48px}.tc{min-height:48px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (min-width: 552px) and (max-width: 727.98px)">.k{display:none}.ae{margin:0 24px}.ch{padding:0 8px 24px 8px}.dm{font-size:34px}.dn{margin-top:0.56em}.do{line-height:42px}.dp{letter-spacing:-0.016em}.hf{font-size:18px}.hg{margin-top:1.56em}.hh{line-height:28px}.hi{letter-spacing:-0.003em}.id{font-size:22px}.ie{margin-top:1.2em}.if{letter-spacing:0}.ix{font-size:20px}.iy{margin-top:1.23em}.iz{line-height:24px}.jl{margin-top:0.67em}.jt{margin-top:1.34em}.kc{margin-top:40px}.mg{margin:0}.mh{max-width:100%}.ob{margin-left:8px}.rc{width:calc(100% + 24px)}.rd{margin-left:-12px}.re{margin-right:-12px}.rr{padding-left:12px}.rs{padding-right:12px}.rt{flex-basis:100%}.sn{font-size:16px}.so{line-height:20px}.sz{min-width:48px}.ta{min-height:48px}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="print">.z{display:none}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="(orientation: landscape) and (max-width: 903.98px)">.bf{max-height:none}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="(prefers-reduced-motion: no-preference)">.mp{transition:transform 300ms cubic-bezier(0.2, 0, 0.2, 1)}.nj{transition:opacity 200ms}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 1230px)">.nk{display:none}</style><style type="text/css" data-fela-rehydration="526" data-fela-type="RULE" media="all and (max-width: 1240px)">.nn{display:none}</style></head><body><div id="root"><div class="a b c"><div class="d e f g h i j k"></div><script>document.domain = document.domain;</script><div class="s"><nav class="s t u v w c x y z"><div><div class="s ab"><div class="n p"><div class="ac ae af ag ah ai aj ak"><div class="al n o am an"><div class="n o ao x"><a aria-label="Homepage" rel="noopener follow" href="https://medium.com/?source=post_page-----69484f58ac92-----------------------------------"><svg viewBox="0 0 1043.63 592.71" class="q ap"><g data-name="Layer 2"><g data-name="Layer 1"><path d="M588.67 296.36c0 163.67-131.78 296.35-294.33 296.35S0 460 0 296.36 131.78 0 294.34 0s294.33 132.69 294.33 296.36M911.56 296.36c0 154.06-65.89 279-147.17 279s-147.17-124.94-147.17-279 65.88-279 147.16-279 147.17 124.9 147.17 279M1043.63 296.36c0 138-23.17 249.94-51.76 249.94s-51.75-111.91-51.75-249.94 23.17-249.94 51.75-249.94 51.76 111.9 51.76 249.94"></path></g></g></svg></a><div class="aq ar as at au s g"></div><div class="s g"><a href="/verint-cyber-engineering?source=post_page-----69484f58ac92-----------------------------------" rel="noopener follow"><span class="av aw ax ay az ba bb bc bd be bf bg bh">Verint Cyber Engineering</span></a></div></div><div class="s bi x"></div></div></div></div></div><div class="bj bk ab bl"><div class="n p"><div class="ac ae af ag ah ai aj ak"><div class="bm az n o"><div class="bn s bi"><a href="/verint-cyber-engineering?source=post_page-----69484f58ac92-----------------------------------" rel="noopener follow"><span class="av aw bo bp az bq bb bc bd be bf bg bh">Verint Cyber Engineering</span></a></div><div class="br s bs"><ul class="bt bu bv bw bx n by g bz ca cb"></ul></div></div></div></div></div></div></nav><div class="cc cd al s ce cf"></div><article><section class="cg ch ci cj ck cl cm ak cn co s"></section><span class="s"></span><div><div><div class="t v cv cw cx cy"></div><section class="cz da db dc dd"><div class="n p"><div class="ac ae af ag ah de aj ak"><div class=""><h1 id="72a0" class="df bg dg dh b di dj dk dl dm dn do dp dq dr ds dt du dv dw dx dy dz ea eb ec ed">Linux Threat Hunting Primer — Part II</h1><div class="ee"><div class="n ef eg eh ei"><div class="o n"><div><a rel="noopener follow" href="/@VerintCyberSec?source=post_page-----69484f58ac92-----------------------------------"><img alt="VerintCyberSec" class="s ej ek el" src="https://miro.medium.com/fit/c/96/96/1*dmbNkD5D-u45r44go_cf0g.png" width="48" height="48"/></a></div><div class="em ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="ep n o eq"><span class="av b en eo az er bb bc bd be bf ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/@VerintCyberSec?source=post_page-----69484f58ac92-----------------------------------">VerintCyberSec</a></span><div class="em n"><span><button class="av b ff eo fg fh fi fj fk fl fm fa fn fo fp fq fr fs ft co fu fv">Follow</button></span><div class="fw s"><div><div><div class="fu" role="tooltip" aria-hidden="false"><div class="s"><span><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fusers%2Fdb944269e66c%2Flazily-enable-writer-subscription&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fverint-cyber-engineering%2Flinux-threat-hunting-primer-part-ii-69484f58ac92&amp;user=VerintCyberSec&amp;userId=db944269e66c&amp;source=post_page-----69484f58ac92---------------------subscribe_user--------------"><button class="av b en eo gc ez gd ge gf gg gh gi gj gk fn fo fp fq fr fs ft co fu fv" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fx fy fz"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div></span></div></div><span class="av b en eo gl"><span class="av b en eo az er bb bc bd be bf gl"><div><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92?source=post_page-----69484f58ac92-----------------------------------"><span>Jan 5, 2020</span></a> <!-- -->·<!-- --> <!-- -->10<!-- --> min read</div></span></span></div></div><div class="n gm gn go gp gq gr gs gt z"><div class="n o"><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gx s"></div></div></div></div></div></div><p id="0c14" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">By <a class="es hw" href="https://il.linkedin.com/in/shachar-roitman-94bb27157?trk=people-guest_profile-result-card_result-card_full-click" rel="noopener ugc nofollow" target="_blank">Shachar Roitman</a></p><p id="05d5" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In the previous post <a class="es hw" rel="noopener" href="/@VerintCyberSec/dd11b156cb7d">“Linux Threat Hunting Primer — Part 1</a>” , we discussed how to start the threat hunting process and reviewed the statistical distribution of the Linux tactics and techniques. We also created lists of techniques to search for after performing ROI estimation. Moreover, we began to list the different stages required in the process of threat hunting. In this post, we will describe and demonstrate a full threat hunting process on one MITRE ATT&amp;CK technique.</p><p id="a320" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">All of the queries I’m going to show will be in the TPSQL language (<a class="es hw" href="https://cis.verint.com/tps/" rel="noopener ugc nofollow" target="_blank">Verint Threat Protection System</a> (TPS) Query Language). Don’t worry, the language is simple to understand.</p><p id="d08c" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">TPS agents collect data using various techniques including <em class="hx">auditd</em> and custom kernel modules. You can refer to <em class="hx">strace</em>, <em class="hx">ptrace</em> and <em class="hx">auditd</em> documentation or output on your system to get additional insight about the fields and queries we’re going to use in the post.</p><h1 id="9792" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Credential Dumping — Example of a full threat hunting process</h1><h2 id="aecb" class="it hz dg av aw iu iv iw ic ix iy iz if ja jb jc ij jd je jf in jg jh ji ir jj ed">Stage 0: Understand the attack and/or technique you’d like to find</h2><p id="08f9" class="gy gz dg ha b hb jk hd he hf jl hh hi hj jm hl hm hn jn hp hq hr jo ht hu hv cz ed">There are two important questions to ask ourselves at this point :</p><ol class=""><li id="ae7b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv jp jq jr ed">What does the attacker want to accomplish when performing the attack?</li><li id="5384" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv jp jq jr ed">How is he going to do it?</li></ol><h2 id="9550" class="it hz dg av aw iu iv iw ic ix iy iz if ja jb jc ij jd je jf in jg jh ji ir jj ed">What is credential dumping?</h2><blockquote class="jx jy jz"><p id="5d80" class="gy gz hx ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">“Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software.” [MITRE ATT&amp;CK definition, <a class="es hw" href="https://attack.mitre.org/techniques/T1003/" rel="noopener ugc nofollow" target="_blank">T1003</a>]</p></blockquote><p id="d164" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In Linux, abusing the <em class="hx">/proc</em> directory is one of the most common courses of action for this kind of attack. A common technique is reading the memory of a process from <em class="hx">/proc/[pid]/maps</em> and dumping/harvesting passwords using root privileges.</p><p id="ea95" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">As a demonstration, we will check if we can find plain text passwords in memory dumps. For the following example, I am using <a class="es hw" href="https://github.com/504ensicsLabs/LiME" rel="noopener ugc nofollow" target="_blank">Linux Memory Extractor (LiMe)</a>:</p><p id="bfdd" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">The “<em class="hx">shachar</em>” user is in the <em class="hx">sudo</em> group, so this account can be used for privilege escalation. I dumped the memory using LiMe and searched for plain text passwords (using <em class="hx">strings</em> and <em class="hx">grep</em> commands).</p><p id="ac92" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">From the users point of view:</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm ka"><div class="km s kn ko"><div class="kp kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*fVw-yGXYUKguz7faC5WGzQ.png?q=20" width="397" height="70" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="397" height="70" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/794/1*fVw-yGXYUKguz7faC5WGzQ.png" width="397" height="70" srcSet="https://miro.medium.com/max/552/1*fVw-yGXYUKguz7faC5WGzQ.png 276w, https://miro.medium.com/max/794/1*fVw-yGXYUKguz7faC5WGzQ.png 397w" sizes="397px" role="presentation"/></noscript></div></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 1: The user wanted to perform an action, which required “root” privileges</figcaption></figure><p id="5b62" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">From the attacker point of view (Memory dump):</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm ky"><div class="km s kn ko"><div class="kz kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*Rd8X0baeT2kCO1B9Wi-zlw.png?q=20" width="447" height="39" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="447" height="39" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/894/1*Rd8X0baeT2kCO1B9Wi-zlw.png" width="447" height="39" srcSet="https://miro.medium.com/max/552/1*Rd8X0baeT2kCO1B9Wi-zlw.png 276w, https://miro.medium.com/max/894/1*Rd8X0baeT2kCO1B9Wi-zlw.png 447w" sizes="447px" role="presentation"/></noscript></div></div></div></figure><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm la"><div class="km s kn ko"><div class="lb kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*ZbhH-e6EYegl1wV6ARia0w.png?q=20" width="200" height="25" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="200" height="25" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/400/1*ZbhH-e6EYegl1wV6ARia0w.png" width="200" height="25" role="presentation"/></noscript></div></div></div></figure><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm lc"><div class="km s kn ko"><div class="ld kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*FNjmoV20wJHQeSjS_EasHQ.png?q=20" width="607" height="80" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="607" height="80" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/1214/1*FNjmoV20wJHQeSjS_EasHQ.png" width="607" height="80" srcSet="https://miro.medium.com/max/552/1*FNjmoV20wJHQeSjS_EasHQ.png 276w, https://miro.medium.com/max/1104/1*FNjmoV20wJHQeSjS_EasHQ.png 552w, https://miro.medium.com/max/1214/1*FNjmoV20wJHQeSjS_EasHQ.png 607w" sizes="607px" role="presentation"/></noscript></div></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Images 2–4: I looked for Shachar’s user login action in the memory and for a password pattern</figcaption></figure><p id="f8f6" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Now that we verified that some plain-text passwords can be found in memory it’s clear that an attacker can also leverage this to steal passwords. Next, we’ll look at the different ways this attack can be implemented.</p><h1 id="ccd4" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Stage 1: Find ways to implement this technique</h1><p id="ba49" class="gy gz dg ha b hb jk hd he hf jl hh hi hj jm hl hm hn jn hp hq hr jo ht hu hv cz ed">Now that we understand the technique, we’d like to find the variety of ways to implement it. For example, which syscalls, files or process are involved in the different stages of the attack?</p><p id="e978" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In this stage, we will see malicious tools that implement the attack and how they do it. In addition, we will look for the attack footprint on the OS.</p><p id="4725" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Reading previous research papers on credential dumping (see: <a class="es hw" href="http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf" rel="noopener ugc nofollow" target="_blank">http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf</a>) confirms and reinforces the behavior that we witnessed in the previous stage. The research indicates that an attacker can see the user’s account information in different processes memory, such as:</p><ul class=""><li id="f69f" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed">By looking at Gnome Display Manager Process memory dump, we can see the Linux login password in ASCII as well as information from <em class="hx">/etc/shadow</em> and <em class="hx">/etc/passwd</em>. This includes the login shadow password, username, long name, UID, GID, home directory, and shell.</li><li id="302c" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">The <em class="hx">thunderbird-bin</em> process memory contains the user’s plain text email password, name, email address, mail server and related information in ASCII format.</li><li id="7273" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">The cleartext SSH password was stored as ASCII text within a large block of nulls in the memory image.</li></ul><h1 id="38cb" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Stage 2: Find anomalies</h1><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm lf"><div class="km s kn ko"><div class="lg kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*io5nl4TH24wQgMsR_YBY5g.png?q=20" width="473" height="336" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="473" height="336" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/946/1*io5nl4TH24wQgMsR_YBY5g.png" width="473" height="336" srcSet="https://miro.medium.com/max/552/1*io5nl4TH24wQgMsR_YBY5g.png 276w, https://miro.medium.com/max/946/1*io5nl4TH24wQgMsR_YBY5g.png 473w" sizes="473px" role="presentation"/></noscript></div></div></div></figure><p id="65f3" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Using the information we gathered from the research on the technique. We’ll now search for the suspicious behaviors in the network by focusing on anomalies (Look for techniques using multiple dimensions: parent/child relationships, command lines arguments, environment variables, accounts, permissions, memory etc.)</p><p id="46e4" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">The following examples will help you define your searches:</p><p id="1902" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Search for processes that use <em class="hx">/proc/&lt;pid&gt;/maps</em>, <em class="hx">/etc/passwd</em>, <em class="hx">/etc/shadow</em> files or modifications of <em class="hx">/etc/login.defs</em> file which provides the default configuration information for several user account parameters.</p><p id="8f75" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Pay attention that <em class="hx">useradd</em>, <em class="hx">usermod</em>, <em class="hx">userdel</em> and <em class="hx">groupadd</em> system commands as well as other user management utilities read the <em class="hx">login.defs</em> file. We can study the interaction between these commands and <em class="hx">login.defs</em> so that we can filter out expected behavior (i.e. false positives) in the next steps of our investigation</p><p id="6ddb" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Look for users that performed file activity on memory dump files that were created by the OS.</p><p id="48b6" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Normally, memory crash files are located in <em class="hx">/var/crash</em>, but can also be found in <em class="hx">/var/spool</em> or <em class="hx">/var/lib/systemd/coredump</em></p><p id="9462" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed"><em class="hx">kdump</em> is a kernel crash dumping utility. This utility can be enabled using a <em class="hx">systemctl</em> command. We can look for commands like:</p><ul class=""><li id="e31c" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed"><em class="hx">$ systemctl enable kdump.service</em></li><li id="fa2b" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">$ systemctl start kdump.service</em></li></ul><p id="5809" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In addition, we can check for modifications to coredump sysctl config <em class="hx">/etc/sysctl.d/50-coredump.conf. </em>Following are additional files that can be manipulated for malicious dumping:</p><ul class=""><li id="e3ff" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed"><em class="hx">/etc/systemd/coredump.conf</em></li><li id="dfd2" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">/etc/systemd/coredump.conf.d/*.conf</em></li><li id="f693" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">/run/systemd/coredump.conf.d/*.conf</em></li><li id="3b7f" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">/usr/lib/systemd/coredump.conf.d/*.conf</em></li><li id="219d" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">/etc/systemd/systemd.conf</em></li></ul><p id="2708" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">We can also look for the use of memory dumping commands, like:</p><ul class=""><li id="0da3" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed"><em class="hx">gcore</em></li><li id="0ad8" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">cat /proc/&lt;pid&gt;/maps</em></li><li id="63a4" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed"><em class="hx">gdb -pid &lt;pid&gt;</em> Then in the GDB shell: <em class="hx">(gdb) dump memory /root/output offset</em></li></ul><p id="55c3" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">And common credential dumping tools, like:</p><ul class=""><li id="624e" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed">mimipenguin</li><li id="93bb" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">3snake</li></ul></div></div></section><div class="n p ee lh li lj" role="separator"><span class="lk ej fu ll lm ln"></span><span class="lk ej fu ll lm ln"></span><span class="lk ej fu ll lm"></span></div><section class="cz da db dc dd"><div class="n p"><div class="ac ae af ag ah de aj ak"><p id="fb4f" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Let’s get a more in-depth look at the these tools, starting with mimipenguin.</p><p id="21ea" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed"><a class="es hw" href="https://github.com/huntergregal/mimipenguin" rel="noopener ugc nofollow" target="_blank">mimipenguin</a> — A tool to dump login passwords of Linux users</p><p id="375c" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">To understand <em class="hx">mimipenguin</em> process activity we’ll take a look at the process tree. More specifically, we’ll search for the <em class="hx">gcore</em> utility in the process tree (See below - any <em class="hx">gcore</em> image running under <em class="hx">bash → sudo</em>) because we know <em class="hx">mimipinguin</em> uses it to dump memory.</p><p id="574b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">By analyzing the process tree we can find suspicious parent-child relationships and understand the process activity:</p><figure class="kb kc kd ke kf kg cp lp ft lq lr ls lt lu ez lj lv lw lx ly lz paragraph-image"><div class="cl cm lo"><img alt="mimipinguin process tree" class="ak ma mb" src="https://miro.medium.com/max/706/1*4HP4BVieSOeSgFhrsTuT3g.png" width="353" height="155"/></div></figure><figure class="cd kg cl cm paragraph-image"><div class="cl cm mc"><img alt="mimipinguin process tree" class="ak ma mb" src="https://miro.medium.com/max/696/1*9mlhAq86oaeTAqYLqeUPqw.png" width="348" height="148"/></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 5–6: Verint TPS builds a tree for each executed process. We can see in this image that “mimipenguin” runs under the “<em class="md">sudo</em>” process who is a child of “bash” and creates a “dash” child process that is the parent of “gnome-keyring-daemon” (service that stores passwords) process. The process tree helps us understand the full activity in the process parent — child dimension.</figcaption></figure><p id="457b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">After we have an initial lead from the process tree, we can further investigate the raw data and analyse parameters such as the command line, path and users.</p></div></div><div class="kg"><div class="n p"><div class="me mf mg mh mi mj ag mk ah ml aj ak"><figure class="kb kc kd ke kf kg mn mo paragraph-image"><div role="button" tabindex="0" class="mp mq kn mr ak ms"><div class="cl cm mm"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/2000/1*iJjryOjP3EuL_1FKpSnsxg.png" width="1000" height="37" role="presentation"/></div></div></figure><figure class="cd kg mn mo paragraph-image"><div role="button" tabindex="0" class="mp mq kn mr ak ms"><div class="cl cm mt"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/2000/1*iEY9-VzilxpJMk9EeC3kKw.png" width="1000" height="69" role="presentation"/></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 7–8: Verint’s TPS presents full command line, image path, user and MD5 for each executed process. We can see in this image the full commands and that the process runs with “sudo” privileges under the user “root”. This is important for behavioral analysis and threat hunting.</figcaption></figure></div></div></div><div class="n p"><div class="ac ae af ag ah de aj ak"><p id="d35b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">(Another way to get this full information will be — combining the output from <em class="hx">ps</em>, <em class="hx">who</em>, <em class="hx">uname</em>, <em class="hx">ptrace</em>, <em class="hx">strace </em>and <em class="hx">file </em>commands)</p><p id="6a2b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">We will look for <em class="hx">gnome-keyring-daemon</em> process that does not run under its normal parent process. To understand what is “normal” we will look at a benign “gnome-keyring” process tree.</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm mu"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/856/1*OWIYj0WIuOCcqgIgh9LHJQ.png" width="428" height="147" role="presentation"/></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 9: we will look at the child and parent process of the benign “gnome-keyring-daemon” process from the process tree.</figcaption></figure><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm mv"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/852/1*r0jWBntXe01IJuvtPHqGgA.png" width="426" height="189" role="presentation"/></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 10: looking for “Xsession” parent process to find “gnome-keyring-daemon” full process tree.</figcaption></figure><p id="8b5e" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In conclusion, we will look for <em class="hx">gnome-keyring-daemon</em> that does not run under the following tree:</p><p id="f285" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed"><em class="hx">gdm-session-worker </em>→ <em class="hx">Xsession</em> → <em class="hx">gnome-keyring-daemon</em> → <em class="hx">gnome-keyring-daemon</em></p><p id="9fb2" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Now we’ll turn to look at the other tool mentioned above called “3snake”.</p><p id="2c6b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">3snake — Dump <em class="hx">sshd</em> and <em class="hx">sudo</em> credential related strings</p><p id="eee3" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">By understanding how “3snake” works, you can learn how to search for it in the data:</p><ul class=""><li id="bc2c" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed">3snake reads memory from sshd and sudo system calls that handle password-based authentication</li><li id="6ebb" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">It doesn’t write to the memory of the traced process</li><li id="a581" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">3snake spawns a new process for every sshd and sudo command that it runs</li><li id="e7e7" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Listens for the proc event using netlink sockets to get candidate processes to trace</li><li id="1af6" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">When it detects a running process that uses sshd or sudo, ptrace is attached and traces read and write system calls, extracting strings related to password based authentication</li></ul><p id="267a" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">From the above analysis, we conclude that 3snake creates multiple threads and processes. We will look for an excessive process activity as in the process tree below:</p><p id="9e8b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">You should look for this anomaly — multiple processes in 3 generations of the process “3snake” executing on a single endpoint.</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm mw"><div class="km s kn ko"><div class="mx kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*SDKkLzsh8ofgYCuFDj1gBQ.png?q=20" width="432" height="305" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="432" height="305" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/864/1*SDKkLzsh8ofgYCuFDj1gBQ.png" width="432" height="305" srcSet="https://miro.medium.com/max/552/1*SDKkLzsh8ofgYCuFDj1gBQ.png 276w, https://miro.medium.com/max/864/1*SDKkLzsh8ofgYCuFDj1gBQ.png 432w" sizes="432px" role="presentation"/></noscript></div></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 11: Verint’s TPS builds a tree for each executed process. In the above image, we notice that “3snake” spawns itself multiple times.</figcaption></figure><h1 id="0614" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Stage 3: Filter out “normal” activities</h1><p id="9278" class="gy gz dg ha b hb jk hd he hf jl hh hi hj jm hl hm hn jn hp hq hr jo ht hu hv cz ed">In this stage, we’ll learn the normal activity of the network. This will help you to reduce the number of results. Be careful with your assumptions, so that you don’t filter out too much data or overfit to a specific system. Do not forget to refactor the query. When you finish, check if there is a technique missing or more “known good” data to filter out.</p><p id="eb70" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">In our credential-dumping hunt, we can do the following:</p><ol class=""><li id="1d9b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv jp jq jr ed">Identify normal passwd activity, for example, look for all passwd references as a process or as a process command line:</li></ol></div></div><div class="kg"><div class="n p"><div class="me mf mg mh mi mj ag mk ah ml aj ak"><figure class="kb kc kd ke kf kg mn mo paragraph-image"><div role="button" tabindex="0" class="mp mq kn mr ak ms"><div class="cl cm ai"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/2000/1*zylUKyd7zBiAuRaTy0qiYA.png" width="1000" height="236" role="presentation"/></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 12: TPS endpoint forensics agent collects process execution information from the Kernel. We can search for “passwd” file/system command reference on that data. Another way to get this full information will be — combining the output from “ps”, “who”, “uname”,”ptrace” , “strace” and “file” commands.</figcaption></figure></div></div></div><div class="n p"><div class="ac ae af ag ah de aj ak"><p id="15a2" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">2. Find indicators of benign activity, like full process tree : (systemd → anacron → dash → run-parts → dash → (cmp,chmod,cmp,cp)) , user: root</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm my"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/854/1*7TuWnJ1p1eDE14FuDjmsbA.png" width="427" height="190" role="presentation"/></div></figure><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm mv"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/852/1*wzce5lv2mH49H1lTmkDU0Q.png" width="426" height="188" role="presentation"/></div></figure><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm mv"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/852/1*0svrv5wz6RHUZygyDW2L0w.png" width="426" height="302" role="presentation"/></div></figure></div></div><div class="kg"><div class="n p"><div class="me mf mg mh mi mj ag mk ah ml aj ak"><figure class="kb kc kd ke kf kg mn mo paragraph-image"><div role="button" tabindex="0" class="mp mq kn mr ak ms"><div class="cl cm mz"><img alt="" class="ak ma mb" src="https://miro.medium.com/max/2000/1*-E0HdsxPZJokuyMpaHOUBQ.png" width="1000" height="225" role="presentation"/></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">Image 13: We can search for “shadow” file\ system command reference on that data in order to baseline benign activity.</figcaption></figure></div></div></div><div class="n p"><div class="ac ae af ag ah de aj ak"><p id="060f" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">3. Check System processes normal activity for relevant commands (like <em class="hx">compgen</em>, <em class="hx">getent</em>, <em class="hx">passwd</em>, <em class="hx">useradd</em>, <em class="hx">groupadd</em>, <em class="hx">usermod</em>, <em class="hx">chsh</em>, <em class="hx">chfn</em>, <em class="hx">users</em>, <em class="hx">id</em>, <em class="hx">groups</em>, <em class="hx">last</em>, <em class="hx">logname</em>, <em class="hx">w</em>, <em class="hx">who</em>, <em class="hx">whoami</em>, <em class="hx">members</em>, <em class="hx">groupmod</em>, <em class="hx">finger</em>, <em class="hx">su</em>, <em class="hx">gpasswd</em>, <em class="hx">chgrp</em>)</p><p id="e7ce" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">4. Search whether<em class="hx"> /etc/shadow</em> and <em class="hx">/etc/passwd</em> were copied (which are used to unshadow with ‘John the Ripper’, an open source tool used for password cracking) by the same user or at the same time.</p><p id="e050" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">5. Check system binary activity; Try to specify the suspicious activity by multiple parameters (command line, privileges, memory etc.) to avoid whitelisting a full binary that can be poisoned (i.e. replacing system binary with a malicious one).</p><p id="1839" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">For example: If you whitelist “ls” binary activity (by name and process tree only) to avoid result overload, you can miss malicious activity in case “ls” was replaced with a malicious file.</p><h1 id="f6f2" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Stage 4: query, refine and repeat</h1><p id="bfae" class="gy gz dg ha b hb jk hd he hf jl hh hi hj jm hl hm hn jn hp hq hr jo ht hu hv cz ed">Now that we understand how an attack looks like and how normal behavior looks like, we will combine both and use it for threat hunting.</p><p id="e2b9" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Hunting for memory dumps files</p><p id="443a" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">We’ll look for all dump files that were not created by the <em class="hx">abrt</em> process (<em class="hx">abrt, </em>atomic bug report tool, is Linux system daemon that reads process memory and may seem suspicious).</p><p id="37df" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Query example:</p><figure class="kb kc kd ke kf kg"><div class="km s kn"><div class="na kq s"></div></div><figcaption class="ku kv cn cl cm kw kx av b en eo gl">(Relying on the dump file name to contain the string “dump” in it is bad, but bear with me for the sake of this explanation).</figcaption></figure><p id="9d8f" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">To hunt for processes that creates activity using user credentials, like:</p><ul class=""><li id="ab95" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed">Processes that perform activities on files that contain passwords and don’t run unser “run-parts” , “getnet” or “abrt-watch-log” system commands , which are part of the system normal activity.</li><li id="6519" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Processes with commandline that includes important user control files like shadow, passwd, login.</li><li id="5830" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Dont forget to filter the results of this subqueries from normal os behavior (like the “600 shadow.bak” — specific command)</li><li id="67a0" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Look for dump file creation in the process commandline</li></ul><p id="06ec" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">We’ll look for dumping tools activity, for example:</p><figure class="kb kc kd ke kf kg"><div class="km s kn"><div class="na kq s"></div></div></figure><p id="5594" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">To hunt for user credential related file, we’ll search all <em class="hx">/etc/passwd</em>, <em class="hx">/etc/shadow</em> files activity that is not created by system user control command, for example:</p><figure class="kb kc kd ke kf kg"><div class="km s kn"><div class="na kq s"></div></div></figure><p id="83c5" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Now, for each query output , analyze the data and try to better understand the system behavior. Refactor the query using your conclusions about the behavior. In addition, filter out the “known good” activity that is specific to your network (e.g. Remove SAP utilities activity)</p><p id="49cc" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Beware — filtering out full commands will lower your ability to detect injections or binary poisoning.</p><h1 id="6575" class="hy hz dg av aw ia ib hd ic id ie hh if ig ih ii ij ik il im in io ip iq ir is ed">Summary &amp; Conclusions</h1><p id="6970" class="gy gz dg ha b hb jk hd he hf jl hh hi hj jm hl hm hn jn hp hq hr jo ht hu hv cz ed">We described a threat hunting process which includes four stages:</p><ul class=""><li id="deec" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv le jq jr ed">Understanding the attack techniques you’d like to find</li><li id="043b" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Conducting research on how attackers implement these technique</li><li id="50f4" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Searching the suspicious data in the organization to find anomalies which require further analysis</li><li id="ac28" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Filtering out normal activities which look anomalous</li><li id="f431" class="gy gz dg ha b hb js hd he hf jt hh hi hj ju hl hm hn jv hp hq hr jw ht hu hv le jq jr ed">Repeating the above process while refining the queries until no anomalies are left or an attack was identified</li></ul><p id="e20a" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">To exemplify the implementation of this process, we used information from MITRE ATT&amp;CK Matrix as well as academic papers which surveyed past attacks against Linux based systems to prioritize a hunting hypothesis. I focused on the “credential dumping” technique since it is common, easy to understand and does not require a lot of research to threat hunt most of its implementations.</p><p id="542b" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">The information provided throughout this blog includes queries against malicious data and examples of known good behavior which we can carefully whitelist. Each environment has its own unique anomalies. You need to carefully analyze all the anomalies you find and remove those which do not describe real threats to your network. It is a tedious and iterative process, but at the end you’ll be able to come to a conclusion about your hunt hypothesis.</p><p id="ee64" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">I hope that this post helped you become even more excited about dealing with Linux threat hunting. I think that if you take each tactic systematically, you will find it interesting. Look at this experience as a new opportunity to see the beauty of Linux Internals.</p><figure class="kb kc kd ke kf kg cl cm paragraph-image"><div class="cl cm nb"><div class="km s kn ko"><div class="nc kq s"><div class="kh ki t u v kj ak az kk kl"><img alt="" class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*VvjnekYka7oxwzaQkgSOUA.png?q=20" width="542" height="326" role="presentation"/></div><img alt="" class="kh ki t u v kj ak c" width="542" height="326" role="presentation"/><noscript><img alt="" class="t u v kj ak" src="https://miro.medium.com/max/1084/1*VvjnekYka7oxwzaQkgSOUA.png" width="542" height="326" srcSet="https://miro.medium.com/max/552/1*VvjnekYka7oxwzaQkgSOUA.png 276w, https://miro.medium.com/max/1084/1*VvjnekYka7oxwzaQkgSOUA.png 542w" sizes="542px" role="presentation"/></noscript></div></div></div></figure><p id="c72d" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">—</p><p id="c56c" class="gy gz dg ha b hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv cz ed">Thanks to <a class="es hw" href="https://www.linkedin.com/in/oren-biderman-1b734176/" rel="noopener ugc nofollow" target="_blank">Oren Biderman</a> and <a class="es hw" href="http://www.linkedin.com/in/micgen" rel="noopener ugc nofollow" target="_blank">Michael Gendelman</a> for reviewing this post and providing useful suggestions.</p></div></div></section></div></div></article><div class="kh cy ne nl ak nm u nj nn" data-test-id="post-sidebar"><div class="n p"><div class="ac ae af ag ah ai aj ak"><div class="no n np"><div class="cy"><div><div class="nr s"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" href="/verint-cyber-engineering?source=post_sidebar--------------------------post_sidebar--------------" rel="noopener follow"><h2 class="av aw nq eo bg ed cz">Verint Cyber Engineering</h2></a><div class="ns nt s"><p class="av b en eo az nu bb bc nv be bf gl">Cyber Security that makes a difference</p></div><div class="fu" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div><div class="nw nx ak n o ny nz"><div class="ln n"><div class="n o ny"><div class="kn oa ob oc od oe of"><span><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fverint-cyber-engineering%2F69484f58ac92&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fverint-cyber-engineering%2Flinux-threat-hunting-primer-part-ii-69484f58ac92&amp;user=VerintCyberSec&amp;userId=db944269e66c&amp;source=post_sidebar-----69484f58ac92---------------------clap_sidebar--------------"><div class="ez og oh oi oj ok ol of r om on"><svg width="29" height="29" aria-label="clap"><g fill-rule="evenodd"><path d="M13.74 1l.76 2.97.76-2.97zM16.82 4.78l1.84-2.56-1.43-.47zM10.38 2.22l1.84 2.56-.41-3.03zM22.38 22.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M9.1 22.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L6.1 15.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L6.4 11.26l-1.18-1.18a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L11.96 14a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L8.43 9.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L20.63 15c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM13 6.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 23 23.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s oo op oq or os ot ou"><div class="ov"><p class="av b en eo gl"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe">53<!-- --> </button></p></div></div></div></div><div class="ow ln s"><div class="n"><button class="oj oh ez"><div class="n o ny"><div class="n o"><div><div class="fu" role="tooltip" aria-hidden="false"><svg width="25" height="25" aria-label="responses" class="ox oy oj on"><path d="M19.07 21.12a6.33 6.33 0 0 1-3.53-1.1 7.8 7.8 0 0 1-.7-.52c-.77.21-1.57.32-2.38.32-4.67 0-8.46-3.5-8.46-7.8C4 7.7 7.79 4.2 12.46 4.2c4.66 0 8.46 3.5 8.46 7.8 0 2.06-.85 3.99-2.4 5.45a6.28 6.28 0 0 0 1.14 2.59c.15.21.17.48.06.7a.69.69 0 0 1-.62.38h-.03zm0-1v.5l.03-.5h-.03zm-3.92-1.64l.21.2a6.09 6.09 0 0 0 3.24 1.54 7.14 7.14 0 0 1-.83-1.84 5.15 5.15 0 0 1-.16-.75 2.4 2.4 0 0 1-.02-.29v-.23l.18-.15a6.6 6.6 0 0 0 2.3-4.96c0-3.82-3.4-6.93-7.6-6.93-4.19 0-7.6 3.11-7.6 6.93 0 3.83 3.41 6.94 7.6 6.94.83 0 1.64-.12 2.41-.35l.28-.08z" fill-rule="evenodd"></path></svg></div></div></div></div></button></div></div><div class="oz s"></div></div></div></div></div></div></div></div><div class="kh cy nd ne nf ng nh ni nj nk"></div><div><div class="pa kg n np p"><div class="n p"><div class="ac ae af ag ah de aj ak"><div class="n pb"></div><div class="n o pb"></div><div class="pc s"><ul class="ez bu"><li class="fu bt pd pe"><a href="https://medium.com/verint-cyber-engineering/tagged/threat-hunting" class="av b ff pf gl pg ph fv s ge">Threat Hunting</a></li><li class="fu bt pd pe"><a href="https://medium.com/verint-cyber-engineering/tagged/forensics" class="av b ff pf gl pg ph fv s ge">Forensics</a></li><li class="fu bt pd pe"><a href="https://medium.com/verint-cyber-engineering/tagged/mitre" class="av b ff pf gl pg ph fv s ge">Mitre</a></li><li class="fu bt pd pe"><a href="https://medium.com/verint-cyber-engineering/tagged/cybersecurity" class="av b ff pf gl pg ph fv s ge">Cybersecurity</a></li><li class="fu bt pd pe"><a href="https://medium.com/verint-cyber-engineering/tagged/linux-forensics" class="av b ff pf gl pg ph fv s ge">Linux Forensics</a></li></ul></div><div class="pc s"><div class="n ef z"><div class="n o ny"><div class="pi s"><span class="s pj pk pl e d"><div class="n o ny"><div class="kn oa ob oc od oe of"><span><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fverint-cyber-engineering%2F69484f58ac92&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fverint-cyber-engineering%2Flinux-threat-hunting-primer-part-ii-69484f58ac92&amp;user=VerintCyberSec&amp;userId=db944269e66c&amp;source=post_actions_footer-----69484f58ac92---------------------clap_footer--------------"><div class="ez og oh oi oj ok ol of r om on"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s oo op oq or pm pn po"><div class="kn pp ov"><p class="av b en eo ed"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe">53<span class="s h g f pq pr"> <!-- -->claps</span></button><span class="s h g f pq pr"></span></p></div></div></div></span><span class="s h g f pq pr"><div class="n o ny"><div class="kn oa ob oc od oe of"><span><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fverint-cyber-engineering%2F69484f58ac92&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fverint-cyber-engineering%2Flinux-threat-hunting-primer-part-ii-69484f58ac92&amp;user=VerintCyberSec&amp;userId=db944269e66c&amp;source=post_actions_footer-----69484f58ac92---------------------clap_footer--------------"><div class="ez og oh oi oj ok ol of r om on"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s oo op oq or pm pn po"><div class="ov"><p class="av b en eo gl"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe">53<!-- --> </button></p></div></div></div></span></div><div class="ps n"><div class="n"><button class="oj oh ez"><div class="n o ny"><div class="n o"><div><div class="fu" role="tooltip" aria-hidden="false"><svg width="29" height="29" aria-label="responses" class="ox oy oj on pt"><path d="M21.27 20.06a9.04 9.04 0 0 0 2.75-6.68C24.02 8.21 19.67 4 14.1 4S4 8.21 4 13.38c0 5.18 4.53 9.39 10.1 9.39 1 0 2-.14 2.95-.41.28.25.6.49.92.7a7.46 7.46 0 0 0 4.19 1.3c.27 0 .5-.13.6-.35a.63.63 0 0 0-.05-.65 8.08 8.08 0 0 1-1.29-2.58 5.42 5.42 0 0 1-.15-.75zm-3.85 1.32l-.08-.28-.4.12a9.72 9.72 0 0 1-2.84.43c-4.96 0-9-3.71-9-8.27 0-4.55 4.04-8.26 9-8.26 4.95 0 8.77 3.71 8.77 8.27 0 2.25-.75 4.35-2.5 5.92l-.24.21v.32a5.59 5.59 0 0 0 .21 1.29c.19.7.49 1.4.89 2.08a6.43 6.43 0 0 1-2.67-1.06c-.34-.22-.88-.48-1.16-.74z"></path></svg></div></div></div></div></button></div></div></div><div class="n o"><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gu s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s bi"><div><div class="fu" role="tooltip" aria-hidden="false"><button class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="gv gw"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gx s bi"></div></div></div></div></div></div><div><div class="n p"><div class="ac ae af ag ah de aj ak"><div class="nw nx pu pc s pv z"><div class="s g"><div class="nw s"></div><div class="pw px s kn"><span class="s py an pz"><div class="s t qa qb"><a href="https://medium.com/verint-cyber-engineering?source=follow_footer-----69484f58ac92-----------------------------------" rel="noopener follow"><img alt="Verint Cyber Engineering" class="cr qc cb" src="https://miro.medium.com/fit/c/160/160/1*o4kvO5IhQn7nyAud859fDQ.jpeg" width="80" height="80"/></a></div><span class="s"><div class="qd qe n qf"><div class="ak n o ef"><h2 class="av aw ax ay bg ed"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" href="/verint-cyber-engineering?source=follow_footer-----69484f58ac92-----------------------------------" rel="noopener follow">Verint Cyber Engineering</a></h2><div class="s g"><div class="fu" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></span></span><div class="qd qg s qf bl"><div class="qh s"><p class="av b nq bp gl">Cyber Security that makes a difference</p></div><div class="bk qi bl"><div class="fu" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></div><div class="bk bl"><div class="li s"><div class="n ny"><div class="qj s"><a rel="noopener follow" href="/@VerintCyberSec?source=follow_footer-----69484f58ac92-----------------------------------"><img alt="VerintCyberSec" class="s ej qk ql" src="https://miro.medium.com/fit/c/80/80/1*dmbNkD5D-u45r44go_cf0g.png" width="40" height="40"/></a></div><div class="qm s"><p class="av b qn qo qp gl qq">Written by</p><div class="n ny"><h2 class="av aw nq eo bg ed"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/@VerintCyberSec?source=follow_footer-----69484f58ac92-----------------------------------">VerintCyberSec</a></h2><div class="qm n"><span><button class="av b ff eo fg fh fi fj fk fl fm fa fn fo fp fq fr fs ft co fu fv">Follow</button></span><div class="fw s"><div><div><div class="fu" role="tooltip" aria-hidden="false"><div class="s"><span><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fusers%2Fdb944269e66c%2Flazily-enable-writer-subscription&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fverint-cyber-engineering%2Flinux-threat-hunting-primer-part-ii-69484f58ac92&amp;user=VerintCyberSec&amp;userId=db944269e66c&amp;source=follow_footer-----69484f58ac92---------------------subscribe_user--------------"><button class="av b en eo gc ez gd ge gf gg gh gi gj gk fn fo fp fq fr fs ft co fu fv" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fx fy fz"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div><div class="qr s"><p class="av b en eo gl"></p></div></div></div><div class="li s"><div class="n ny"><a href="https://medium.com/verint-cyber-engineering?source=follow_footer-----69484f58ac92-----------------------------------" rel="noopener follow"><img alt="Verint Cyber Engineering" class="cr ql qk" src="https://miro.medium.com/fit/c/80/80/1*o4kvO5IhQn7nyAud859fDQ.jpeg" width="40" height="40"/></a><div class="qm s"><div class="n ny"><h2 class="av aw nq eo bg ed"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe" href="/verint-cyber-engineering?source=follow_footer-----69484f58ac92-----------------------------------" rel="noopener follow">Verint Cyber Engineering</a></h2><div class="qm s"><div class="fu" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div><div class="qr s"><p class="av b en eo gl">Cyber Security that makes a difference</p></div></div></div></div></div></div></div></div></div><div class="s cp z"><div class="n p"><div class="ac ae af ag ah ai aj ak"><div class="qs qt s"><div class="qu qv qw qt s qx qy"><h2 class="av aw iu iw ic ix iz if ja jc ij jd jf in jg ji ir ed">More From Medium</h2></div><div class="by n ny pb qz ra rb rc rd re rf rg rh ri rj rk rl rm rn"><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a rel="noopener follow" href="/@chichuwxyz1234/evrinews-29c0ad126938?source=post_internal_links---------0-------------------------------">Evrinews</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/@chichuwxyz1234?source=post_internal_links---------0-------------------------------">Evrinews</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" rel="noopener follow" href="/@chichuwxyz1234/evrinews-29c0ad126938?source=post_internal_links---------0-------------------------------"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*hn4v1tCaJy7cWMyb0bpNpQ.png?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 48w, https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a href="https://ahoner.medium.com/what-is-buffer-overflow-tryhackme-buffer-overflow-prep-walkthrough-9e2629a6b5b9?source=post_internal_links---------1-------------------------------" rel="noopener follow">What is Buffer Overflow? — TryHackMe: Buffer Overflow Prep Walkthrough</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" href="https://ahoner.medium.com/?source=post_internal_links---------1-------------------------------" rel="noopener follow">caesar</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" href="https://ahoner.medium.com/what-is-buffer-overflow-tryhackme-buffer-overflow-prep-walkthrough-9e2629a6b5b9?source=post_internal_links---------1-------------------------------" rel="noopener follow"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/0*N8VAw7clbiMNaxpf?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/0*N8VAw7clbiMNaxpf" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/0*N8VAw7clbiMNaxpf 48w, https://miro.medium.com/fit/c/140/140/0*N8VAw7clbiMNaxpf 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a rel="noopener follow" href="/@singaporeacademyoflaw/a-path-for-pofma-how-the-law-might-evolve-this-decade-23aed1dce56d?source=post_internal_links---------2-------------------------------">A PATH FOR POFMA: HOW THE LAW MIGHT EVOLVE THIS DECADE</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/@singaporeacademyoflaw?source=post_internal_links---------2-------------------------------">Singapore Academy of Law</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" rel="noopener follow" href="/@singaporeacademyoflaw/a-path-for-pofma-how-the-law-might-evolve-this-decade-23aed1dce56d?source=post_internal_links---------2-------------------------------"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*S4ddYOG3-BJGFthYm_SzHA.png?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/1*S4ddYOG3-BJGFthYm_SzHA.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*S4ddYOG3-BJGFthYm_SzHA.png 48w, https://miro.medium.com/fit/c/140/140/1*S4ddYOG3-BJGFthYm_SzHA.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a href="https://dukeforge.medium.com/the-battle-of-the-digital-bulge-66df6f42c3c6?source=post_internal_links---------3-------------------------------" rel="noopener follow">The Battle of the Digital Bulge</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" href="https://dukeforge.medium.com/?source=post_internal_links---------3-------------------------------" rel="noopener follow">Duke Forge</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" href="https://dukeforge.medium.com/the-battle-of-the-digital-bulge-66df6f42c3c6?source=post_internal_links---------3-------------------------------" rel="noopener follow"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/0*RXLsAAV9Bkw428EV?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/0*RXLsAAV9Bkw428EV" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/0*RXLsAAV9Bkw428EV 48w, https://miro.medium.com/fit/c/140/140/0*RXLsAAV9Bkw428EV 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a href="https://inthiraj1994.medium.com/token-binding-in-simple-terms-6d2035075ab?source=post_internal_links---------4-------------------------------" rel="noopener follow">Token Binding in Simple Terms</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" href="https://inthiraj1994.medium.com/?source=post_internal_links---------4-------------------------------" rel="noopener follow">Tharmakulasingham Inthirakumaaran</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" href="https://inthiraj1994.medium.com/token-binding-in-simple-terms-6d2035075ab?source=post_internal_links---------4-------------------------------" rel="noopener follow"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/0*aM2nA3hXYg64ueQD.jpg?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/0*aM2nA3hXYg64ueQD.jpg" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/0*aM2nA3hXYg64ueQD.jpg 48w, https://miro.medium.com/fit/c/140/140/0*aM2nA3hXYg64ueQD.jpg 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a rel="noopener follow" href="/@AxelUnlimited/the-phish-in-the-room-human-emotions-and-cybersecurity-845000f146a8?source=post_internal_links---------5-------------------------------">The Phish In The Room: Human Emotions And Cybersecurity</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/@AxelUnlimited?source=post_internal_links---------5-------------------------------">AXEL</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" rel="noopener follow" href="/@AxelUnlimited/the-phish-in-the-room-human-emotions-and-cybersecurity-845000f146a8?source=post_internal_links---------5-------------------------------"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*mzylWwNggwIS-ji697HWLw.jpeg?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/1*mzylWwNggwIS-ji697HWLw.jpeg" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*mzylWwNggwIS-ji697HWLw.jpeg 48w, https://miro.medium.com/fit/c/140/140/1*mzylWwNggwIS-ji697HWLw.jpeg 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a rel="noopener follow" href="/@fernand0/daily-links-of-fernand0-enlaces-diarios-de-fernand0-issue-305-e7136bfe4f7a?source=post_internal_links---------6-------------------------------">Daily links of Fernand0 — Enlaces diarios de Fernand0 — Issue #305</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" rel="noopener follow" href="/@fernand0?source=post_internal_links---------6-------------------------------">fernand0</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" rel="noopener follow" href="/@fernand0/daily-links-of-fernand0-enlaces-diarios-de-fernand0-issue-305-e7136bfe4f7a?source=post_internal_links---------6-------------------------------"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/0*VIsFYLyAbkG9BS4X?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/0*VIsFYLyAbkG9BS4X" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/0*VIsFYLyAbkG9BS4X 48w, https://miro.medium.com/fit/c/140/140/0*VIsFYLyAbkG9BS4X 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="ro rp rq mf rr rs rt mh ru rv rw rx ry rz sa sb sc sd se sf sg"><div class="sh si s"><div class="ak kj"><div class="n ef"><div class="s bs op or sj"><div class="sk s"><h2 class="av aw sl sm ic sn so if sp sq ij sr ss in st su ir ed"><a href="https://ferruginating1980.medium.com/update-my-original-stories-hack-free-resources-generator-8dacede5bbcd?source=post_internal_links---------7-------------------------------" rel="noopener follow">{UPDATE} My Original Stories Hack Free Resources Generator</a></h2></div><div class="o n"><div></div><div class="ak s"><div class="n"><div style="flex:1"><span class="av b en eo ed"><div class="cc n o eq"><span class="av b ff eo ed"><a class="es et eu ev ew ex ey ez bu fa fb fc fd fe" href="https://ferruginating1980.medium.com/?source=post_internal_links---------7-------------------------------" rel="noopener follow">Prue Jamille</a></span></div></span></div></div></div></div></div><div class="qm pd s sv sw"><a class="es et eu ev ew ex ey ez bu fa ga gb fc fd fe s" href="https://ferruginating1980.medium.com/update-my-original-stories-hack-free-resources-generator-8dacede5bbcd?source=post_internal_links---------7-------------------------------" rel="noopener follow"><div class="km s kn ko"><div class="na kq s"><div class="kh ki t u v kj ak az kk kl"><img class="t u v kj ak kr ks kt" src="https://miro.medium.com/max/60/1*hn4v1tCaJy7cWMyb0bpNpQ.png?q=20" width="70" height="70" role="presentation"/></div><img class="kh ki sx sy sz ta tb tc td te tf tg c" width="70" height="70" role="presentation"/><noscript><img class="sx sy sz ta tb tc td te tf tg" src="https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 48w, https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><script>window.__BUILD_ID__="main-20211221-164410-1a06fba482"</script><script>window.__GRAPHQL_URI__ = "https://medium.com/_/graphql"</script><script>window.__PRELOADED_STATE__ = {"algolia":{"queries":{}},"auroraPage":{"isAuroraPageEnabled":false},"bookReader":{"assets":{},"reader":{"currentAsset":null,"currentGFI":null,"settingsPanelIsOpen":false,"settings":{"fontFamily":"CHARTER","fontScale":"M","publisherStyling":false,"textAlignment":"start","theme":"White","lineSpacing":0,"wordSpacing":0,"letterSpacing":0},"internalNavCounter":0,"currentSelection":null}},"cache":{"experimentGroupSet":true,"reason":"","group":"enabled","tags":["group-edgeCachePosts","post-69484f58ac92","user-db944269e66c","collection-c94dad1730c4"],"serverVariantState":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","middlewareEnabled":true,"cacheStatus":"DYNAMIC","shouldUseCache":true,"vary":[]},"client":{"hydrated":false,"isUs":false,"isNativeMedium":false,"isSafariMobile":false,"isSafari":false,"routingEntity":{"type":"DEFAULT","explicit":false},"viewerIsBot":false},"debug":{"requestId":"30c48d83-4364-4b05-b46b-320cf7773dda","hybridDevServices":[],"showBookReaderDebugger":false,"originalSpanCarrier":{"ot-tracer-spanid":"4ab178803cc80945","ot-tracer-traceid":"7da98034ac77c64a","ot-tracer-sampled":"true"}},"multiVote":{"clapsPerPost":{}},"navigation":{"branch":{"show":null,"hasRendered":null,"blockedByCTA":false},"hideGoogleOneTap":false,"hasRenderedGoogleOneTap":null,"hasRenderedAlternateUserBanner":null,"currentLocation":"https:\u002F\u002Fmedium.com\u002Fverint-cyber-engineering\u002Flinux-threat-hunting-primer-part-ii-69484f58ac92","host":"medium.com","hostname":"medium.com","referrer":"","hasSetReferrer":false,"susiModal":{"step":null,"operation":"register"},"postRead":false,"queryString":"","currentHash":""},"tracing":{},"userOnboarding":{"showFirstBookPurchaseTooltip":false},"config":{"nodeEnv":"production","version":"main-20211221-164410-1a06fba482","isTaggedVersion":false,"isMediumDotApp":false,"isMediumDotAppVariant":false,"target":"production","productName":"Medium","publicUrl":"https:\u002F\u002Fcdn-client.medium.com\u002Flite","authDomain":"medium.com","authGoogleClientId":"216296035834-k1k6qe060s2tp2a2jam4ljdcms00sttg.apps.googleusercontent.com","favicon":"production","glyphUrl":"https:\u002F\u002Fglyph.medium.com","branchKey":"key_live_ofxXr2qTrrU9NqURK8ZwEhknBxiI6KBm","lightStep":{"name":"lite-web","host":"lightstep.medium.systems","token":"ce5be895bef60919541332990ac9fef2","appVersion":"main-20211221-164410-1a06fba482","disableClientReporting":true},"algolia":{"appId":"MQ57UUUQZ2","apiKeySearch":"394474ced050e3911ae2249ecc774921","indexPrefix":"medium_","host":"-dsn.algolia.net"},"recaptchaKey":"6Lfc37IUAAAAAKGGtC6rLS13R1Hrw_BqADfS1LRk","recaptcha3Key":"6Lf8R9wUAAAAABMI_85Wb8melS7Zj6ziuf99Yot5","datadog":{"applicationId":"6702d87d-a7e0-42fe-bbcb-95b469547ea0","clientToken":"pub853ea8d17ad6821d9f8f11861d23dfed","rumToken":"pubf9cc52896502b9413b68ba36fc0c7162","context":{"deployment":{"target":"production","tag":"main-20211221-164410-1a06fba482","commit":"1a06fba482b2db140c3b32d276409078993c91f6"}},"datacenter":"us"},"googleAnalyticsCode":"UA-24232453-2","googlePay":{"apiVersion":"2","apiVersionMinor":"0","merchantId":"BCR2DN6TV7EMTGBM","merchantName":"Medium","instanceMerchantId":"13685562959212738550"},"applePay":{"version":3},"signInWallCustomDomainCollectionIds":["3a8144eabfe3","336d898217ee","61061eb0c96b","138adf9c44c","819cc2aaeee0"],"mediumOwnedAndOperatedCollectionIds":["8a9336e5bb4","b7e45b22fec3","193b68bd4fba","8d6b8a439e32","54c98c43354d","3f6ecf56618","d944778ce714","92d2092dc598","ae2a65f35510","1285ba81cada","544c7006046e","fc8964313712","40187e704f1c","88d9857e584e","7b6769f2748b","bcc38c8f6edf","cef6983b292","cb8577c9149e","444d13b52878","713d7dbc99b0","ef8e90590e66","191186aaafa0","55760f21cdc5","9dc80918cc93","bdc4052bbdba","8ccfed20cbb2"],"tierOneDomains":["medium.com","thebolditalic.com","arcdigital.media","towardsdatascience.com","uxdesign.cc","codeburst.io","psiloveyou.xyz","writingcooperative.com","entrepreneurshandbook.co","prototypr.io","betterhumans.coach.me","theascent.pub"],"topicsToFollow":["d61cf867d93f","8a146bc21b28","1eca0103fff3","4d562ee63426","aef1078a3ef5","e15e46793f8d","6158eb913466","55f1c20aba7a","3d18b94f6858","4861fee224fd","63c6f1f93ee","1d98b3a9a871","decb52b64abf","ae5d4995e225","830cded25262"],"topicToTagMappings":{"accessibility":"accessibility","addiction":"addiction","android-development":"android-development","art":"art","artificial-intelligence":"artificial-intelligence","astrology":"astrology","basic-income":"basic-income","beauty":"beauty","biotech":"biotech","blockchain":"blockchain","books":"books","business":"business","cannabis":"cannabis","cities":"cities","climate-change":"climate-change","comics":"comics","coronavirus":"coronavirus","creativity":"creativity","cryptocurrency":"cryptocurrency","culture":"culture","cybersecurity":"cybersecurity","data-science":"data-science","design":"design","digital-life":"digital-life","disability":"disability","economy":"economy","education":"education","equality":"equality","family":"family","feminism":"feminism","fiction":"fiction","film":"film","fitness":"fitness","food":"food","freelancing":"freelancing","future":"future","gadgets":"gadgets","gaming":"gaming","gun-control":"gun-control","health":"health","history":"history","humor":"humor","immigration":"immigration","ios-development":"ios-development","javascript":"javascript","justice":"justice","language":"language","leadership":"leadership","lgbtqia":"lgbtqia","lifestyle":"lifestyle","machine-learning":"machine-learning","makers":"makers","marketing":"marketing","math":"math","media":"media","mental-health":"mental-health","mindfulness":"mindfulness","money":"money","music":"music","neuroscience":"neuroscience","nonfiction":"nonfiction","outdoors":"outdoors","parenting":"parenting","pets":"pets","philosophy":"philosophy","photography":"photography","podcasts":"podcast","poetry":"poetry","politics":"politics","privacy":"privacy","product-management":"product-management","productivity":"productivity","programming":"programming","psychedelics":"psychedelics","psychology":"psychology","race":"race","relationships":"relationships","religion":"religion","remote-work":"remote-work","san-francisco":"san-francisco","science":"science","self":"self","self-driving-cars":"self-driving-cars","sexuality":"sexuality","social-media":"social-media","society":"society","software-engineering":"software-engineering","space":"space","spirituality":"spirituality","sports":"sports","startups":"startup","style":"style","technology":"technology","transportation":"transportation","travel":"travel","true-crime":"true-crime","tv":"tv","ux":"ux","venture-capital":"venture-capital","visual-design":"visual-design","work":"work","world":"world","writing":"writing"},"defaultImages":{"avatar":{"imageId":"1*dmbNkD5D-u45r44go_cf0g.png","height":150,"width":150},"orgLogo":{"imageId":"1*OMF3fSqH8t4xBJ9-6oZDZw.png","height":106,"width":545},"postLogo":{"imageId":"1*kFrc4tBFM_tCis-2Ic87WA.png","height":810,"width":1440},"postPreviewImage":{"imageId":"1*hn4v1tCaJy7cWMyb0bpNpQ.png","height":386,"width":579}},"collectionStructuredData":{"8d6b8a439e32":{"name":"Elemental","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F980\u002F1*9ygdqoKprhwuTVKUM0DLPA@2x.png","width":980,"height":159}}},"3f6ecf56618":{"name":"Forge","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F596\u002F1*uULpIlImcO5TDuBZ6lm7Lg@2x.png","width":596,"height":183}}},"ae2a65f35510":{"name":"GEN","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F264\u002F1*RdVZMdvfV3YiZTw6mX7yWA.png","width":264,"height":140}}},"88d9857e584e":{"name":"LEVEL","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*JqYMhNX6KNNb2UlqGqO2WQ.png","width":540,"height":108}}},"7b6769f2748b":{"name":"Marker","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F383\u002F1*haCUs0wF6TgOOvfoY-jEoQ@2x.png","width":383,"height":92}}},"444d13b52878":{"name":"OneZero","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*cw32fIqCbRWzwJaoQw6BUg.png","width":540,"height":123}}},"8ccfed20cbb2":{"name":"Zora","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*tZUQqRcCCZDXjjiZ4bDvgQ.png","width":540,"height":106}}}},"embeddedPostIds":{"coronavirus":"cd3010f9d81f"},"sharedCdcMessaging":{"COVID_APPLICABLE_TAG_SLUGS":[],"COVID_APPLICABLE_TOPIC_NAMES":[],"COVID_APPLICABLE_TOPIC_NAMES_FOR_TOPIC_PAGE":[],"COVID_MESSAGES":{"tierA":{"text":"For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":66,"end":73,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"tierB":{"text":"Anyone can publish on Medium per our Policies, but we don’t fact-check every story. For more info about the coronavirus, see cdc.gov.","markups":[{"start":37,"end":45,"href":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Fcategories\u002F201931128-Policies-Safety"},{"start":125,"end":132,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"paywall":{"text":"This article has been made free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":56,"end":70,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":138,"end":145,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"unbound":{"text":"This article is free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":45,"end":59,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":127,"end":134,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]}},"COVID_BANNER_POST_ID_OVERRIDE_WHITELIST":["3b31a67bff4a"]},"sharedVoteMessaging":{"TAGS":["politics","election-2020","government","us-politics","election","2020-presidential-race","trump","donald-trump","democrats","republicans","congress","republican-party","democratic-party","biden","joe-biden","maga"],"TOPICS":["politics","election"],"MESSAGE":{"text":"Find out more about the U.S. election results here.","markups":[{"start":46,"end":50,"href":"https:\u002F\u002Fcookpolitical.com\u002F2020-national-popular-vote-tracker"}]},"EXCLUDE_POSTS":["397ef29e3ca5"]},"embedPostRules":[],"recircOptions":{"v1":{"limit":3},"v2":{"limit":8}},"braintreeClientKey":"production_zjkj96jm_m56f8fqpf7ngnrd4","braintree":{"enabled":true,"merchantId":"m56f8fqpf7ngnrd4","merchantAccountId":{"usd":"AMediumCorporation_instant","eur":"amediumcorporation_EUR"},"publicKey":"cwr8xtycwgjryv82","braintreeEnvironment":"production","dashboardUrl":"https:\u002F\u002Fwww.braintreegateway.com\u002Fmerchants","gracePeriodDurationInDays":14,"mediumMembershipPlanId":{"monthly":"ce105f8c57a3","monthlyWithTrial":"d5ee3dbe3db8","yearly":"a40ad4a43185","yearlyStaff":"d74fb811198a","yearlyWithTrial":"b3bc7350e5c7"},"braintreeDiscountId":{"oneMonthFree":"MONTHS_FREE_01","threeMonthsFree":"MONTHS_FREE_03","sixMonthsFree":"MONTHS_FREE_06"},"3DSecureVersion":"2","defaultCurrency":"usd"},"paypalClientId":"AXj1G4fotC2GE8KzWX9mSxCH1wmPE3nJglf4Z2ig_amnhvlMVX87otaq58niAg9iuLktVNF_1WCMnN7v","paypal":{"host":"https:\u002F\u002Fapi.paypal.com:443","clientMode":"production","serverMode":"live","webhookId":"4G466076A0294510S","monthlyPlan":{"planId":"P-9WR0658853113943TMU5FDQA","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlan":{"planId":"P-7N8963881P8875835MU5JOPQ","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oneYearGift":{"name":"Medium Membership (1 Year, Digital Gift Code)","description":"Unlimited access to the best and brightest stories on Medium. Gift codes can be redeemed at medium.com\u002Fredeem.","price":"50.00","currency":"USD","sku":"membership-gift-1-yr"},"oldMonthlyPlan":{"planId":"P-96U02458LM656772MJZUVH2Y","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlan":{"planId":"P-59P80963JF186412JJZU3SMI","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"monthlyPlanWithTrial":{"planId":"P-66C21969LR178604GJPVKUKY","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlanWithTrial":{"planId":"P-6XW32684EX226940VKCT2MFA","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oldMonthlyPlanNoSetupFee":{"planId":"P-4N046520HR188054PCJC7LJI","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlanNoSetupFee":{"planId":"P-7A4913502Y5181304CJEJMXQ","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"sdkUrl":"https:\u002F\u002Fwww.paypal.com\u002Fsdk\u002Fjs"},"stripePublishableKey":"pk_live_7FReX44VnNIInZwrIIx6ghjl","log":{"json":true,"level":"info"}},"session":{"xsrf":""}}</script><script>window.__APOLLO_STATE__ = {"ROOT_QUERY":{"__typename":"Query","meterPost({\"postId\":\"69484f58ac92\",\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__ref":"MeteringInfo:{}"},"postResult({\"id\":\"69484f58ac92\"})":{"__ref":"Post:69484f58ac92"}},"MeteringInfo:{}":{"__typename":"MeteringInfo","postIds":[],"maxUnlockCount":3,"unlocksRemaining":0},"User:db944269e66c":{"id":"db944269e66c","__typename":"User","customStyleSheet":null,"isSuspended":false,"name":"VerintCyberSec","bio":"","imageId":"1*dmbNkD5D-u45r44go_cf0g.png","hasCompletedProfile":false,"username":"VerintCyberSec","isAuroraVisible":true,"mediumMemberAt":0,"socialStats":{"__typename":"SocialStats","followerCount":55,"followingCount":1,"collectionFollowingCount":2},"customDomainState":null,"hasSubdomain":false,"bookAuthor":null,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:db944269e66c-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"homepagePostsConnection({\"paging\":{\"limit\":1}})":{"__typename":"PostConnection","posts":[{"__ref":"Post:69484f58ac92"}]},"postSubscribeMembershipUpsellShownAt":0,"allowNotes":true,"replyToEmailBannerShownCount":0,"twitterScreenName":"","followedCollections":2,"referredMembershipCustomHeadline":"","referredMembershipCustomBody":"","atsQualifiedAt":0},"ImageMetadata:":{"id":"","__typename":"ImageMetadata","originalWidth":0,"originalHeight":0,"focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:c94dad1730c4-viewerId:lo_6ca4a925ba62":{"id":"collectionId:c94dad1730c4-viewerId:lo_6ca4a925ba62","__typename":"CollectionViewerEdge","isEditor":false},"ImageMetadata:1*o4kvO5IhQn7nyAud859fDQ.jpeg":{"id":"1*o4kvO5IhQn7nyAud859fDQ.jpeg","__typename":"ImageMetadata"},"Collection:c94dad1730c4":{"id":"c94dad1730c4","__typename":"Collection","domain":null,"googleAnalyticsId":null,"slug":"verint-cyber-engineering","colorBehavior":"ACCENT_COLOR_AND_FILL_BACKGROUND","isAuroraVisible":false,"favicon":{"__ref":"ImageMetadata:"},"name":"Verint Cyber Engineering","colorPalette":{"__typename":"ColorPalette","highlightSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FFF5F2F1","point":0},{"__typename":"ColorPoint","color":"#FFF3F0EF","point":0.1},{"__typename":"ColorPoint","color":"#FFF1EEED","point":0.2},{"__typename":"ColorPoint","color":"#FFEFECEC","point":0.3},{"__typename":"ColorPoint","color":"#FFEDEAEA","point":0.4},{"__typename":"ColorPoint","color":"#FFEBE8E8","point":0.5},{"__typename":"ColorPoint","color":"#FFE9E6E6","point":0.6},{"__typename":"ColorPoint","color":"#FFE7E5E4","point":0.7},{"__typename":"ColorPoint","color":"#FFE5E3E2","point":0.8},{"__typename":"ColorPoint","color":"#FFE4E1E0","point":0.9},{"__typename":"ColorPoint","color":"#FFE2DFDE","point":1}]},"defaultBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FF868484","point":0},{"__typename":"ColorPoint","color":"#FF7C7B7A","point":0.1},{"__typename":"ColorPoint","color":"#FF737171","point":0.2},{"__typename":"ColorPoint","color":"#FF696867","point":0.3},{"__typename":"ColorPoint","color":"#FF5F5E5E","point":0.4},{"__typename":"ColorPoint","color":"#FF555454","point":0.5},{"__typename":"ColorPoint","color":"#FF4A4949","point":0.6},{"__typename":"ColorPoint","color":"#FF3F3E3E","point":0.7},{"__typename":"ColorPoint","color":"#FF343333","point":0.8},{"__typename":"ColorPoint","color":"#FF272727","point":0.9},{"__typename":"ColorPoint","color":"#FF1A1A1A","point":1}]},"tintBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FF000000","colorPoints":[{"__typename":"ColorPoint","color":"#FF000000","point":0},{"__typename":"ColorPoint","color":"#FF1E1D1D","point":0.1},{"__typename":"ColorPoint","color":"#FF3C3B3B","point":0.2},{"__typename":"ColorPoint","color":"#FF565555","point":0.3},{"__typename":"ColorPoint","color":"#FF6F6D6D","point":0.4},{"__typename":"ColorPoint","color":"#FF868484","point":0.5},{"__typename":"ColorPoint","color":"#FF9C9A99","point":0.6},{"__typename":"ColorPoint","color":"#FFB1AEAE","point":0.7},{"__typename":"ColorPoint","color":"#FFC5C3C2","point":0.8},{"__typename":"ColorPoint","color":"#FFD9D6D6","point":0.9},{"__typename":"ColorPoint","color":"#FFECE9E9","point":1}]}},"customStyleSheet":null,"tagline":"Cyber Security that makes a difference","isAuroraEligible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:c94dad1730c4-viewerId:lo_6ca4a925ba62"},"logo":{"__ref":"ImageMetadata:"},"navItems":[],"creator":{"__ref":"User:db944269e66c"},"subscriberCount":50,"newsletterV3":null,"avatar":{"__ref":"ImageMetadata:1*o4kvO5IhQn7nyAud859fDQ.jpeg"},"canToggleEmail":false,"description":"Cyber Security that makes a difference","ampEnabled":false,"twitterUsername":"verint_cyber","facebookPageId":null,"customDomainState":null,"ptsQualifiedAt":0},"UserViewerEdge:userId:db944269e66c-viewerId:lo_6ca4a925ba62":{"id":"userId:db944269e66c-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"Post:69484f58ac92":{"id":"69484f58ac92","__typename":"Post","creator":{"__ref":"User:db944269e66c"},"canonicalUrl":"","collection":{"__ref":"Collection:c94dad1730c4"},"content({\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:7697f2ce4bbd_0"},{"__ref":"Paragraph:7697f2ce4bbd_1"},{"__ref":"Paragraph:7697f2ce4bbd_2"},{"__ref":"Paragraph:7697f2ce4bbd_3"},{"__ref":"Paragraph:7697f2ce4bbd_4"},{"__ref":"Paragraph:7697f2ce4bbd_5"},{"__ref":"Paragraph:7697f2ce4bbd_6"},{"__ref":"Paragraph:7697f2ce4bbd_7"},{"__ref":"Paragraph:7697f2ce4bbd_8"},{"__ref":"Paragraph:7697f2ce4bbd_9"},{"__ref":"Paragraph:7697f2ce4bbd_10"},{"__ref":"Paragraph:7697f2ce4bbd_11"},{"__ref":"Paragraph:7697f2ce4bbd_12"},{"__ref":"Paragraph:7697f2ce4bbd_13"},{"__ref":"Paragraph:7697f2ce4bbd_14"},{"__ref":"Paragraph:7697f2ce4bbd_15"},{"__ref":"Paragraph:7697f2ce4bbd_16"},{"__ref":"Paragraph:7697f2ce4bbd_17"},{"__ref":"Paragraph:7697f2ce4bbd_18"},{"__ref":"Paragraph:7697f2ce4bbd_19"},{"__ref":"Paragraph:7697f2ce4bbd_20"},{"__ref":"Paragraph:7697f2ce4bbd_21"},{"__ref":"Paragraph:7697f2ce4bbd_22"},{"__ref":"Paragraph:7697f2ce4bbd_23"},{"__ref":"Paragraph:7697f2ce4bbd_24"},{"__ref":"Paragraph:7697f2ce4bbd_25"},{"__ref":"Paragraph:7697f2ce4bbd_26"},{"__ref":"Paragraph:7697f2ce4bbd_27"},{"__ref":"Paragraph:7697f2ce4bbd_28"},{"__ref":"Paragraph:7697f2ce4bbd_29"},{"__ref":"Paragraph:7697f2ce4bbd_30"},{"__ref":"Paragraph:7697f2ce4bbd_31"},{"__ref":"Paragraph:7697f2ce4bbd_32"},{"__ref":"Paragraph:7697f2ce4bbd_33"},{"__ref":"Paragraph:7697f2ce4bbd_34"},{"__ref":"Paragraph:7697f2ce4bbd_35"},{"__ref":"Paragraph:7697f2ce4bbd_36"},{"__ref":"Paragraph:7697f2ce4bbd_37"},{"__ref":"Paragraph:7697f2ce4bbd_38"},{"__ref":"Paragraph:7697f2ce4bbd_39"},{"__ref":"Paragraph:7697f2ce4bbd_40"},{"__ref":"Paragraph:7697f2ce4bbd_41"},{"__ref":"Paragraph:7697f2ce4bbd_42"},{"__ref":"Paragraph:7697f2ce4bbd_43"},{"__ref":"Paragraph:7697f2ce4bbd_44"},{"__ref":"Paragraph:7697f2ce4bbd_45"},{"__ref":"Paragraph:7697f2ce4bbd_46"},{"__ref":"Paragraph:7697f2ce4bbd_47"},{"__ref":"Paragraph:7697f2ce4bbd_48"},{"__ref":"Paragraph:7697f2ce4bbd_49"},{"__ref":"Paragraph:7697f2ce4bbd_50"},{"__ref":"Paragraph:7697f2ce4bbd_51"},{"__ref":"Paragraph:7697f2ce4bbd_52"},{"__ref":"Paragraph:7697f2ce4bbd_53"},{"__ref":"Paragraph:7697f2ce4bbd_54"},{"__ref":"Paragraph:7697f2ce4bbd_55"},{"__ref":"Paragraph:7697f2ce4bbd_56"},{"__ref":"Paragraph:7697f2ce4bbd_57"},{"__ref":"Paragraph:7697f2ce4bbd_58"},{"__ref":"Paragraph:7697f2ce4bbd_59"},{"__ref":"Paragraph:7697f2ce4bbd_60"},{"__ref":"Paragraph:7697f2ce4bbd_61"},{"__ref":"Paragraph:7697f2ce4bbd_62"},{"__ref":"Paragraph:7697f2ce4bbd_63"},{"__ref":"Paragraph:7697f2ce4bbd_64"},{"__ref":"Paragraph:7697f2ce4bbd_65"},{"__ref":"Paragraph:7697f2ce4bbd_66"},{"__ref":"Paragraph:7697f2ce4bbd_67"},{"__ref":"Paragraph:7697f2ce4bbd_68"},{"__ref":"Paragraph:7697f2ce4bbd_69"},{"__ref":"Paragraph:7697f2ce4bbd_70"},{"__ref":"Paragraph:7697f2ce4bbd_71"},{"__ref":"Paragraph:7697f2ce4bbd_72"},{"__ref":"Paragraph:7697f2ce4bbd_73"},{"__ref":"Paragraph:7697f2ce4bbd_74"},{"__ref":"Paragraph:7697f2ce4bbd_75"},{"__ref":"Paragraph:7697f2ce4bbd_76"},{"__ref":"Paragraph:7697f2ce4bbd_77"},{"__ref":"Paragraph:7697f2ce4bbd_78"},{"__ref":"Paragraph:7697f2ce4bbd_79"},{"__ref":"Paragraph:7697f2ce4bbd_80"},{"__ref":"Paragraph:7697f2ce4bbd_81"},{"__ref":"Paragraph:7697f2ce4bbd_82"},{"__ref":"Paragraph:7697f2ce4bbd_83"},{"__ref":"Paragraph:7697f2ce4bbd_84"},{"__ref":"Paragraph:7697f2ce4bbd_85"},{"__ref":"Paragraph:7697f2ce4bbd_86"},{"__ref":"Paragraph:7697f2ce4bbd_87"},{"__ref":"Paragraph:7697f2ce4bbd_88"},{"__ref":"Paragraph:7697f2ce4bbd_89"},{"__ref":"Paragraph:7697f2ce4bbd_90"},{"__ref":"Paragraph:7697f2ce4bbd_91"},{"__ref":"Paragraph:7697f2ce4bbd_92"},{"__ref":"Paragraph:7697f2ce4bbd_93"},{"__ref":"Paragraph:7697f2ce4bbd_94"},{"__ref":"Paragraph:7697f2ce4bbd_95"},{"__ref":"Paragraph:7697f2ce4bbd_96"},{"__ref":"Paragraph:7697f2ce4bbd_97"},{"__ref":"Paragraph:7697f2ce4bbd_98"},{"__ref":"Paragraph:7697f2ce4bbd_99"},{"__ref":"Paragraph:7697f2ce4bbd_100"},{"__ref":"Paragraph:7697f2ce4bbd_101"},{"__ref":"Paragraph:7697f2ce4bbd_102"},{"__ref":"Paragraph:7697f2ce4bbd_103"},{"__ref":"Paragraph:7697f2ce4bbd_104"},{"__ref":"Paragraph:7697f2ce4bbd_105"},{"__ref":"Paragraph:7697f2ce4bbd_106"},{"__ref":"Paragraph:7697f2ce4bbd_107"},{"__ref":"Paragraph:7697f2ce4bbd_108"},{"__ref":"Paragraph:7697f2ce4bbd_109"},{"__ref":"Paragraph:7697f2ce4bbd_110"},{"__ref":"Paragraph:7697f2ce4bbd_111"},{"__ref":"Paragraph:7697f2ce4bbd_112"},{"__ref":"Paragraph:7697f2ce4bbd_113"},{"__ref":"Paragraph:7697f2ce4bbd_114"},{"__ref":"Paragraph:7697f2ce4bbd_115"},{"__ref":"Paragraph:7697f2ce4bbd_116"},{"__ref":"Paragraph:7697f2ce4bbd_117"},{"__ref":"Paragraph:7697f2ce4bbd_118"},{"__ref":"Paragraph:7697f2ce4bbd_119"},{"__ref":"Paragraph:7697f2ce4bbd_120"},{"__ref":"Paragraph:7697f2ce4bbd_121"},{"__ref":"Paragraph:7697f2ce4bbd_122"}],"sections":[{"__typename":"Section","name":"7945","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null},{"__typename":"Section","name":"6aeb","startIndex":53,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}},"customStyleSheet":null,"firstPublishedAt":1578225661944,"isIndexable":true,"isLocked":false,"isPublished":true,"isShortform":false,"layerCake":0,"primaryTopic":null,"title":"Linux Threat Hunting Primer — Part II","isMarkedPaywallOnly":false,"mediumUrl":"https:\u002F\u002Fmedium.com\u002Fverint-cyber-engineering\u002Flinux-threat-hunting-primer-part-ii-69484f58ac92","readingTime":9.170754716981133,"detectedLanguage":"en","wordCount":1993,"isLimitedState":false,"visibility":"PUBLIC","license":"ALL_RIGHTS_RESERVED","inResponseToPostResult":null,"allowResponses":true,"newsletterId":"","sequence":null,"tags":[{"__ref":"Tag:threat-hunting"},{"__ref":"Tag:forensics"},{"__ref":"Tag:mitre"},{"__ref":"Tag:cybersecurity"},{"__ref":"Tag:linux-forensics"}],"topics":[{"__typename":"Topic","topicId":"d4e7f4144ac5","name":"Cybersecurity"}],"isNewsletter":false,"isPublishToEmail":false,"socialTitle":"","socialDek":"","noIndex":null,"curationStatus":null,"metaDescription":"","latestPublishedAt":1578225661944,"previewContent":{"__typename":"PreviewContent","subtitle":"A full threat hunting process on one MITRE ATT&CK technique"},"previewImage":{"__ref":"ImageMetadata:1*SDKkLzsh8ofgYCuFDj1gBQ.png"},"clapCount":53,"postResponses":{"__typename":"PostResponses","count":0},"isSuspended":false,"pendingCollection":null,"statusForCollection":"APPROVED","lockedSource":"LOCKED_POST_SOURCE_NONE","pinnedAt":0,"pinnedByCreatorAt":0,"curationEligibleAt":0,"responseDistribution":"NOT_DISTRIBUTED","inResponseToEntityType":null,"internalLinks({\"paging\":{\"limit\":8}})":{"__typename":"InternalLinksConnection","items":[{"__ref":"Post:29c0ad126938"},{"__ref":"Post:9e2629a6b5b9"},{"__ref":"Post:23aed1dce56d"},{"__ref":"Post:66df6f42c3c6"},{"__ref":"Post:6d2035075ab"},{"__ref":"Post:845000f146a8"},{"__ref":"Post:e7136bfe4f7a"},{"__ref":"Post:8dacede5bbcd"}]},"viewerEdge":{"__ref":"PostViewerEdge:postId:69484f58ac92-viewerId:lo_6ca4a925ba62"},"collaborators":[],"translationSourcePost":null,"audioVersionUrl":"","seoTitle":"","updatedAt":1639368979372,"shortformType":"SHORTFORM_TYPE_LINK","structuredData":"","seoDescription":"","latestPublishedVersion":"7697f2ce4bbd","isAuthorNewsletter":false,"voterCount":11,"recommenders":[],"content({})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:7697f2ce4bbd_0"},{"__ref":"Paragraph:7697f2ce4bbd_1"},{"__ref":"Paragraph:7697f2ce4bbd_2"},{"__ref":"Paragraph:7697f2ce4bbd_3"},{"__ref":"Paragraph:7697f2ce4bbd_4"},{"__ref":"Paragraph:7697f2ce4bbd_5"},{"__ref":"Paragraph:7697f2ce4bbd_6"},{"__ref":"Paragraph:7697f2ce4bbd_7"},{"__ref":"Paragraph:7697f2ce4bbd_8"},{"__ref":"Paragraph:7697f2ce4bbd_9"},{"__ref":"Paragraph:7697f2ce4bbd_10"},{"__ref":"Paragraph:7697f2ce4bbd_11"},{"__ref":"Paragraph:7697f2ce4bbd_12"},{"__ref":"Paragraph:7697f2ce4bbd_13"},{"__ref":"Paragraph:7697f2ce4bbd_14"},{"__ref":"Paragraph:7697f2ce4bbd_15"},{"__ref":"Paragraph:7697f2ce4bbd_16"},{"__ref":"Paragraph:7697f2ce4bbd_17"},{"__ref":"Paragraph:7697f2ce4bbd_18"},{"__ref":"Paragraph:7697f2ce4bbd_19"},{"__ref":"Paragraph:7697f2ce4bbd_20"},{"__ref":"Paragraph:7697f2ce4bbd_21"},{"__ref":"Paragraph:7697f2ce4bbd_22"},{"__ref":"Paragraph:7697f2ce4bbd_23"},{"__ref":"Paragraph:7697f2ce4bbd_24"},{"__ref":"Paragraph:7697f2ce4bbd_25"},{"__ref":"Paragraph:7697f2ce4bbd_26"},{"__ref":"Paragraph:7697f2ce4bbd_27"},{"__ref":"Paragraph:7697f2ce4bbd_28"},{"__ref":"Paragraph:7697f2ce4bbd_29"},{"__ref":"Paragraph:7697f2ce4bbd_30"},{"__ref":"Paragraph:7697f2ce4bbd_31"},{"__ref":"Paragraph:7697f2ce4bbd_32"},{"__ref":"Paragraph:7697f2ce4bbd_33"},{"__ref":"Paragraph:7697f2ce4bbd_34"},{"__ref":"Paragraph:7697f2ce4bbd_35"},{"__ref":"Paragraph:7697f2ce4bbd_36"},{"__ref":"Paragraph:7697f2ce4bbd_37"},{"__ref":"Paragraph:7697f2ce4bbd_38"},{"__ref":"Paragraph:7697f2ce4bbd_39"},{"__ref":"Paragraph:7697f2ce4bbd_40"},{"__ref":"Paragraph:7697f2ce4bbd_41"},{"__ref":"Paragraph:7697f2ce4bbd_42"},{"__ref":"Paragraph:7697f2ce4bbd_43"},{"__ref":"Paragraph:7697f2ce4bbd_44"},{"__ref":"Paragraph:7697f2ce4bbd_45"},{"__ref":"Paragraph:7697f2ce4bbd_46"},{"__ref":"Paragraph:7697f2ce4bbd_47"},{"__ref":"Paragraph:7697f2ce4bbd_48"},{"__ref":"Paragraph:7697f2ce4bbd_49"},{"__ref":"Paragraph:7697f2ce4bbd_50"},{"__ref":"Paragraph:7697f2ce4bbd_51"},{"__ref":"Paragraph:7697f2ce4bbd_52"},{"__ref":"Paragraph:7697f2ce4bbd_53"},{"__ref":"Paragraph:7697f2ce4bbd_54"},{"__ref":"Paragraph:7697f2ce4bbd_55"},{"__ref":"Paragraph:7697f2ce4bbd_56"},{"__ref":"Paragraph:7697f2ce4bbd_57"},{"__ref":"Paragraph:7697f2ce4bbd_58"},{"__ref":"Paragraph:7697f2ce4bbd_59"},{"__ref":"Paragraph:7697f2ce4bbd_60"},{"__ref":"Paragraph:7697f2ce4bbd_61"},{"__ref":"Paragraph:7697f2ce4bbd_62"},{"__ref":"Paragraph:7697f2ce4bbd_63"},{"__ref":"Paragraph:7697f2ce4bbd_64"},{"__ref":"Paragraph:7697f2ce4bbd_65"},{"__ref":"Paragraph:7697f2ce4bbd_66"},{"__ref":"Paragraph:7697f2ce4bbd_67"},{"__ref":"Paragraph:7697f2ce4bbd_68"},{"__ref":"Paragraph:7697f2ce4bbd_69"},{"__ref":"Paragraph:7697f2ce4bbd_70"},{"__ref":"Paragraph:7697f2ce4bbd_71"},{"__ref":"Paragraph:7697f2ce4bbd_72"},{"__ref":"Paragraph:7697f2ce4bbd_73"},{"__ref":"Paragraph:7697f2ce4bbd_74"},{"__ref":"Paragraph:7697f2ce4bbd_75"},{"__ref":"Paragraph:7697f2ce4bbd_76"},{"__ref":"Paragraph:7697f2ce4bbd_77"},{"__ref":"Paragraph:7697f2ce4bbd_78"},{"__ref":"Paragraph:7697f2ce4bbd_79"},{"__ref":"Paragraph:7697f2ce4bbd_80"},{"__ref":"Paragraph:7697f2ce4bbd_81"},{"__ref":"Paragraph:7697f2ce4bbd_82"},{"__ref":"Paragraph:7697f2ce4bbd_83"},{"__ref":"Paragraph:7697f2ce4bbd_84"},{"__ref":"Paragraph:7697f2ce4bbd_85"},{"__ref":"Paragraph:7697f2ce4bbd_86"},{"__ref":"Paragraph:7697f2ce4bbd_87"},{"__ref":"Paragraph:7697f2ce4bbd_88"},{"__ref":"Paragraph:7697f2ce4bbd_89"},{"__ref":"Paragraph:7697f2ce4bbd_90"},{"__ref":"Paragraph:7697f2ce4bbd_91"},{"__ref":"Paragraph:7697f2ce4bbd_92"},{"__ref":"Paragraph:7697f2ce4bbd_93"},{"__ref":"Paragraph:7697f2ce4bbd_94"},{"__ref":"Paragraph:7697f2ce4bbd_95"},{"__ref":"Paragraph:7697f2ce4bbd_96"},{"__ref":"Paragraph:7697f2ce4bbd_97"},{"__ref":"Paragraph:7697f2ce4bbd_98"},{"__ref":"Paragraph:7697f2ce4bbd_99"},{"__ref":"Paragraph:7697f2ce4bbd_100"},{"__ref":"Paragraph:7697f2ce4bbd_101"},{"__ref":"Paragraph:7697f2ce4bbd_102"},{"__ref":"Paragraph:7697f2ce4bbd_103"},{"__ref":"Paragraph:7697f2ce4bbd_104"},{"__ref":"Paragraph:7697f2ce4bbd_105"},{"__ref":"Paragraph:7697f2ce4bbd_106"},{"__ref":"Paragraph:7697f2ce4bbd_107"},{"__ref":"Paragraph:7697f2ce4bbd_108"},{"__ref":"Paragraph:7697f2ce4bbd_109"},{"__ref":"Paragraph:7697f2ce4bbd_110"},{"__ref":"Paragraph:7697f2ce4bbd_111"},{"__ref":"Paragraph:7697f2ce4bbd_112"},{"__ref":"Paragraph:7697f2ce4bbd_113"},{"__ref":"Paragraph:7697f2ce4bbd_114"},{"__ref":"Paragraph:7697f2ce4bbd_115"},{"__ref":"Paragraph:7697f2ce4bbd_116"},{"__ref":"Paragraph:7697f2ce4bbd_117"},{"__ref":"Paragraph:7697f2ce4bbd_118"},{"__ref":"Paragraph:7697f2ce4bbd_119"},{"__ref":"Paragraph:7697f2ce4bbd_120"},{"__ref":"Paragraph:7697f2ce4bbd_121"},{"__ref":"Paragraph:7697f2ce4bbd_122"}],"sections":[{"__typename":"Section","name":"7945","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null},{"__typename":"Section","name":"6aeb","startIndex":53,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}}},"Paragraph:7697f2ce4bbd_0":{"id":"7697f2ce4bbd_0","__typename":"Paragraph","name":"72a0","text":"Linux Threat Hunting Primer — Part II","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_1":{"id":"7697f2ce4bbd_1","__typename":"Paragraph","name":"0c14","text":"By Shachar Roitman","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":3,"end":18,"type":"A","href":"https:\u002F\u002Fil.linkedin.com\u002Fin\u002Fshachar-roitman-94bb27157?trk=people-guest_profile-result-card_result-card_full-click","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_2":{"id":"7697f2ce4bbd_2","__typename":"Paragraph","name":"05d5","text":"In the previous post “Linux Threat Hunting Primer — Part 1” , we discussed how to start the threat hunting process and reviewed the statistical distribution of the Linux tactics and techniques. We also created lists of techniques to search for after performing ROI estimation. Moreover, we began to list the different stages required in the process of threat hunting. In this post, we will describe and demonstrate a full threat hunting process on one MITRE ATT&CK technique.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":21,"end":58,"type":"A","href":"https:\u002F\u002Fmedium.com\u002F@VerintCyberSec\u002Fdd11b156cb7d","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_3":{"id":"7697f2ce4bbd_3","__typename":"Paragraph","name":"a320","text":"All of the queries I’m going to show will be in the TPSQL language (Verint Threat Protection System (TPS) Query Language). Don’t worry, the language is simple to understand.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":68,"end":99,"type":"A","href":"https:\u002F\u002Fcis.verint.com\u002Ftps\u002F","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_4":{"id":"7697f2ce4bbd_4","__typename":"Paragraph","name":"d08c","text":"TPS agents collect data using various techniques including auditd and custom kernel modules. You can refer to strace, ptrace and auditd documentation or output on your system to get additional insight about the fields and queries we’re going to use in the post.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":59,"end":65,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":110,"end":116,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":118,"end":124,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":129,"end":135,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_5":{"id":"7697f2ce4bbd_5","__typename":"Paragraph","name":"9792","text":"Credential Dumping — Example of a full threat hunting process","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_6":{"id":"7697f2ce4bbd_6","__typename":"Paragraph","name":"aecb","text":"Stage 0: Understand the attack and\u002For technique you’d like to find","type":"H4","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_7":{"id":"7697f2ce4bbd_7","__typename":"Paragraph","name":"08f9","text":"There are two important questions to ask ourselves at this point :","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_8":{"id":"7697f2ce4bbd_8","__typename":"Paragraph","name":"ae7b","text":"What does the attacker want to accomplish when performing the attack?","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_9":{"id":"7697f2ce4bbd_9","__typename":"Paragraph","name":"5384","text":"How is he going to do it?","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_10":{"id":"7697f2ce4bbd_10","__typename":"Paragraph","name":"9550","text":"What is credential dumping?","type":"H4","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_11":{"id":"7697f2ce4bbd_11","__typename":"Paragraph","name":"5d80","text":"“Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software.” [MITRE ATT&CK definition, T1003]","type":"BQ","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":212,"end":217,"type":"A","href":"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1003\u002F","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_12":{"id":"7697f2ce4bbd_12","__typename":"Paragraph","name":"d164","text":"In Linux, abusing the \u002Fproc directory is one of the most common courses of action for this kind of attack. A common technique is reading the memory of a process from \u002Fproc\u002F[pid]\u002Fmaps and dumping\u002Fharvesting passwords using root privileges.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":22,"end":27,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":166,"end":182,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_13":{"id":"7697f2ce4bbd_13","__typename":"Paragraph","name":"ea95","text":"As a demonstration, we will check if we can find plain text passwords in memory dumps. For the following example, I am using Linux Memory Extractor (LiMe):","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":125,"end":154,"type":"A","href":"https:\u002F\u002Fgithub.com\u002F504ensicsLabs\u002FLiME","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_14":{"id":"7697f2ce4bbd_14","__typename":"Paragraph","name":"bfdd","text":"The “shachar” user is in the sudo group, so this account can be used for privilege escalation. I dumped the memory using LiMe and searched for plain text passwords (using strings and grep commands).","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":5,"end":12,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":29,"end":33,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":171,"end":178,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":183,"end":187,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_15":{"id":"7697f2ce4bbd_15","__typename":"Paragraph","name":"ac92","text":"From the users point of view:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_16":{"id":"7697f2ce4bbd_16","__typename":"Paragraph","name":"4bfe","text":"Image 1: The user wanted to perform an action, which required “root” privileges","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*fVw-yGXYUKguz7faC5WGzQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_17":{"id":"7697f2ce4bbd_17","__typename":"Paragraph","name":"5b62","text":"From the attacker point of view (Memory dump):","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_18":{"id":"7697f2ce4bbd_18","__typename":"Paragraph","name":"d20d","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*Rd8X0baeT2kCO1B9Wi-zlw.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_19":{"id":"7697f2ce4bbd_19","__typename":"Paragraph","name":"da3c","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*ZbhH-e6EYegl1wV6ARia0w.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_20":{"id":"7697f2ce4bbd_20","__typename":"Paragraph","name":"55db","text":"Images 2–4: I looked for Shachar’s user login action in the memory and for a password pattern","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*FNjmoV20wJHQeSjS_EasHQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_21":{"id":"7697f2ce4bbd_21","__typename":"Paragraph","name":"f8f6","text":"Now that we verified that some plain-text passwords can be found in memory it’s clear that an attacker can also leverage this to steal passwords. Next, we’ll look at the different ways this attack can be implemented.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_22":{"id":"7697f2ce4bbd_22","__typename":"Paragraph","name":"ccd4","text":"Stage 1: Find ways to implement this technique","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_23":{"id":"7697f2ce4bbd_23","__typename":"Paragraph","name":"ba49","text":"Now that we understand the technique, we’d like to find the variety of ways to implement it. For example, which syscalls, files or process are involved in the different stages of the attack?","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_24":{"id":"7697f2ce4bbd_24","__typename":"Paragraph","name":"e978","text":"In this stage, we will see malicious tools that implement the attack and how they do it. In addition, we will look for the attack footprint on the OS.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_25":{"id":"7697f2ce4bbd_25","__typename":"Paragraph","name":"4725","text":"Reading previous research papers on credential dumping (see: http:\u002F\u002Fwww.foo.be\u002Fcours\u002Fmssi-20072008\u002Fdavidoff-clearmem-linux.pdf) confirms and reinforces the behavior that we witnessed in the previous stage. The research indicates that an attacker can see the user’s account information in different processes memory, such as:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":61,"end":126,"type":"A","href":"http:\u002F\u002Fwww.foo.be\u002Fcours\u002Fmssi-20072008\u002Fdavidoff-clearmem-linux.pdf","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_26":{"id":"7697f2ce4bbd_26","__typename":"Paragraph","name":"f69f","text":"By looking at Gnome Display Manager Process memory dump, we can see the Linux login password in ASCII as well as information from \u002Fetc\u002Fshadow and \u002Fetc\u002Fpasswd. This includes the login shadow password, username, long name, UID, GID, home directory, and shell.","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":130,"end":141,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":146,"end":157,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_27":{"id":"7697f2ce4bbd_27","__typename":"Paragraph","name":"302c","text":"The thunderbird-bin process memory contains the user’s plain text email password, name, email address, mail server and related information in ASCII format.","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":4,"end":19,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_28":{"id":"7697f2ce4bbd_28","__typename":"Paragraph","name":"7273","text":"The cleartext SSH password was stored as ASCII text within a large block of nulls in the memory image.","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_29":{"id":"7697f2ce4bbd_29","__typename":"Paragraph","name":"38cb","text":"Stage 2: Find anomalies","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_30":{"id":"7697f2ce4bbd_30","__typename":"Paragraph","name":"2306","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*io5nl4TH24wQgMsR_YBY5g.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_31":{"id":"7697f2ce4bbd_31","__typename":"Paragraph","name":"65f3","text":"Using the information we gathered from the research on the technique. We’ll now search for the suspicious behaviors in the network by focusing on anomalies (Look for techniques using multiple dimensions: parent\u002Fchild relationships, command lines arguments, environment variables, accounts, permissions, memory etc.)","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_32":{"id":"7697f2ce4bbd_32","__typename":"Paragraph","name":"46e4","text":"The following examples will help you define your searches:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_33":{"id":"7697f2ce4bbd_33","__typename":"Paragraph","name":"1902","text":"Search for processes that use \u002Fproc\u002F\u003Cpid\u003E\u002Fmaps, \u002Fetc\u002Fpasswd, \u002Fetc\u002Fshadow files or modifications of \u002Fetc\u002Flogin.defs file which provides the default configuration information for several user account parameters.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":30,"end":46,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":48,"end":59,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":61,"end":72,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":99,"end":114,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_34":{"id":"7697f2ce4bbd_34","__typename":"Paragraph","name":"8f75","text":"Pay attention that useradd, usermod, userdel and groupadd system commands as well as other user management utilities read the login.defs file. We can study the interaction between these commands and login.defs so that we can filter out expected behavior (i.e. false positives) in the next steps of our investigation","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":19,"end":26,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":28,"end":35,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":37,"end":44,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":49,"end":57,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":126,"end":136,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":199,"end":209,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_35":{"id":"7697f2ce4bbd_35","__typename":"Paragraph","name":"6ddb","text":"Look for users that performed file activity on memory dump files that were created by the OS.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_36":{"id":"7697f2ce4bbd_36","__typename":"Paragraph","name":"48b6","text":"Normally, memory crash files are located in \u002Fvar\u002Fcrash, but can also be found in \u002Fvar\u002Fspool or \u002Fvar\u002Flib\u002Fsystemd\u002Fcoredump","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":44,"end":54,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":81,"end":91,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":95,"end":120,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_37":{"id":"7697f2ce4bbd_37","__typename":"Paragraph","name":"9462","text":"kdump is a kernel crash dumping utility. This utility can be enabled using a systemctl command. We can look for commands like:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":5,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":77,"end":86,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_38":{"id":"7697f2ce4bbd_38","__typename":"Paragraph","name":"e31c","text":"$ systemctl enable kdump.service","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":32,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_39":{"id":"7697f2ce4bbd_39","__typename":"Paragraph","name":"fa2b","text":"$ systemctl start kdump.service","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":31,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_40":{"id":"7697f2ce4bbd_40","__typename":"Paragraph","name":"5809","text":"In addition, we can check for modifications to coredump sysctl config \u002Fetc\u002Fsysctl.d\u002F50-coredump.conf. Following are additional files that can be manipulated for malicious dumping:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":70,"end":102,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_41":{"id":"7697f2ce4bbd_41","__typename":"Paragraph","name":"e3ff","text":"\u002Fetc\u002Fsystemd\u002Fcoredump.conf","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":26,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_42":{"id":"7697f2ce4bbd_42","__typename":"Paragraph","name":"dfd2","text":"\u002Fetc\u002Fsystemd\u002Fcoredump.conf.d\u002F*.conf","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":35,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_43":{"id":"7697f2ce4bbd_43","__typename":"Paragraph","name":"f693","text":"\u002Frun\u002Fsystemd\u002Fcoredump.conf.d\u002F*.conf","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":35,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_44":{"id":"7697f2ce4bbd_44","__typename":"Paragraph","name":"3b7f","text":"\u002Fusr\u002Flib\u002Fsystemd\u002Fcoredump.conf.d\u002F*.conf","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":39,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_45":{"id":"7697f2ce4bbd_45","__typename":"Paragraph","name":"219d","text":"\u002Fetc\u002Fsystemd\u002Fsystemd.conf","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":25,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_46":{"id":"7697f2ce4bbd_46","__typename":"Paragraph","name":"2708","text":"We can also look for the use of memory dumping commands, like:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_47":{"id":"7697f2ce4bbd_47","__typename":"Paragraph","name":"0da3","text":"gcore","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":5,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_48":{"id":"7697f2ce4bbd_48","__typename":"Paragraph","name":"0ad8","text":"cat \u002Fproc\u002F\u003Cpid\u003E\u002Fmaps","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":20,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_49":{"id":"7697f2ce4bbd_49","__typename":"Paragraph","name":"63a4","text":"gdb -pid \u003Cpid\u003E Then in the GDB shell: (gdb) dump memory \u002Froot\u002Foutput offset","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":14,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":38,"end":75,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_50":{"id":"7697f2ce4bbd_50","__typename":"Paragraph","name":"55c3","text":"And common credential dumping tools, like:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_51":{"id":"7697f2ce4bbd_51","__typename":"Paragraph","name":"624e","text":"mimipenguin","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_52":{"id":"7697f2ce4bbd_52","__typename":"Paragraph","name":"93bb","text":"3snake","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_53":{"id":"7697f2ce4bbd_53","__typename":"Paragraph","name":"fb4f","text":"Let’s get a more in-depth look at the these tools, starting with mimipenguin.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_54":{"id":"7697f2ce4bbd_54","__typename":"Paragraph","name":"21ea","text":"mimipenguin — A tool to dump login passwords of Linux users","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":11,"type":"A","href":"https:\u002F\u002Fgithub.com\u002Fhuntergregal\u002Fmimipenguin","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_55":{"id":"7697f2ce4bbd_55","__typename":"Paragraph","name":"375c","text":"To understand mimipenguin process activity we’ll take a look at the process tree. More specifically, we’ll search for the gcore utility in the process tree (See below - any gcore image running under bash → sudo) because we know mimipinguin uses it to dump memory.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":14,"end":25,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":122,"end":127,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":173,"end":178,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":199,"end":210,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":228,"end":239,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_56":{"id":"7697f2ce4bbd_56","__typename":"Paragraph","name":"574b","text":"By analyzing the process tree we can find suspicious parent-child relationships and understand the process activity:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_57":{"id":"7697f2ce4bbd_57","__typename":"Paragraph","name":"950e","text":"","type":"IMG","href":null,"layout":"OUTSET_LEFT","metadata":{"__ref":"ImageMetadata:1*4HP4BVieSOeSgFhrsTuT3g.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_58":{"id":"7697f2ce4bbd_58","__typename":"Paragraph","name":"1dc4","text":"Image 5–6: Verint TPS builds a tree for each executed process. We can see in this image that “mimipenguin” runs under the “sudo” process who is a child of “bash” and creates a “dash” child process that is the parent of “gnome-keyring-daemon” (service that stores passwords) process. The process tree helps us understand the full activity in the process parent — child dimension.","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*9mlhAq86oaeTAqYLqeUPqw.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":123,"end":127,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_59":{"id":"7697f2ce4bbd_59","__typename":"Paragraph","name":"457b","text":"After we have an initial lead from the process tree, we can further investigate the raw data and analyse parameters such as the command line, path and users.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_60":{"id":"7697f2ce4bbd_60","__typename":"Paragraph","name":"131e","text":"","type":"IMG","href":null,"layout":"OUTSET_CENTER","metadata":{"__ref":"ImageMetadata:1*iJjryOjP3EuL_1FKpSnsxg.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_61":{"id":"7697f2ce4bbd_61","__typename":"Paragraph","name":"667f","text":"Image 7–8: Verint’s TPS presents full command line, image path, user and MD5 for each executed process. We can see in this image the full commands and that the process runs with “sudo” privileges under the user “root”. This is important for behavioral analysis and threat hunting.","type":"IMG","href":null,"layout":"OUTSET_CENTER","metadata":{"__ref":"ImageMetadata:1*iEY9-VzilxpJMk9EeC3kKw.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_62":{"id":"7697f2ce4bbd_62","__typename":"Paragraph","name":"d35b","text":"(Another way to get this full information will be — combining the output from ps, who, uname, ptrace, strace and file commands)","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":78,"end":80,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":82,"end":85,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":87,"end":92,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":94,"end":100,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":102,"end":109,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":113,"end":118,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_63":{"id":"7697f2ce4bbd_63","__typename":"Paragraph","name":"6a2b","text":"We will look for gnome-keyring-daemon process that does not run under its normal parent process. To understand what is “normal” we will look at a benign “gnome-keyring” process tree.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":17,"end":37,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_64":{"id":"7697f2ce4bbd_64","__typename":"Paragraph","name":"c44e","text":"Image 9: we will look at the child and parent process of the benign “gnome-keyring-daemon” process from the process tree.","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*OWIYj0WIuOCcqgIgh9LHJQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_65":{"id":"7697f2ce4bbd_65","__typename":"Paragraph","name":"df6e","text":"Image 10: looking for “Xsession” parent process to find “gnome-keyring-daemon” full process tree.","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*r0jWBntXe01IJuvtPHqGgA.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_66":{"id":"7697f2ce4bbd_66","__typename":"Paragraph","name":"8b5e","text":"In conclusion, we will look for gnome-keyring-daemon that does not run under the following tree:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":32,"end":52,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_67":{"id":"7697f2ce4bbd_67","__typename":"Paragraph","name":"f285","text":"gdm-session-worker → Xsession → gnome-keyring-daemon → gnome-keyring-daemon","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":19,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":21,"end":29,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":32,"end":52,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":55,"end":75,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_68":{"id":"7697f2ce4bbd_68","__typename":"Paragraph","name":"9fb2","text":"Now we’ll turn to look at the other tool mentioned above called “3snake”.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_69":{"id":"7697f2ce4bbd_69","__typename":"Paragraph","name":"2c6b","text":"3snake — Dump sshd and sudo credential related strings","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":14,"end":18,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":23,"end":27,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_70":{"id":"7697f2ce4bbd_70","__typename":"Paragraph","name":"eee3","text":"By understanding how “3snake” works, you can learn how to search for it in the data:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_71":{"id":"7697f2ce4bbd_71","__typename":"Paragraph","name":"bc2c","text":"3snake reads memory from sshd and sudo system calls that handle password-based authentication","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_72":{"id":"7697f2ce4bbd_72","__typename":"Paragraph","name":"6ebb","text":"It doesn’t write to the memory of the traced process","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_73":{"id":"7697f2ce4bbd_73","__typename":"Paragraph","name":"a581","text":"3snake spawns a new process for every sshd and sudo command that it runs","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_74":{"id":"7697f2ce4bbd_74","__typename":"Paragraph","name":"e7e7","text":"Listens for the proc event using netlink sockets to get candidate processes to trace","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_75":{"id":"7697f2ce4bbd_75","__typename":"Paragraph","name":"1af6","text":"When it detects a running process that uses sshd or sudo, ptrace is attached and traces read and write system calls, extracting strings related to password based authentication","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_76":{"id":"7697f2ce4bbd_76","__typename":"Paragraph","name":"267a","text":"From the above analysis, we conclude that 3snake creates multiple threads and processes. We will look for an excessive process activity as in the process tree below:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_77":{"id":"7697f2ce4bbd_77","__typename":"Paragraph","name":"9e8b","text":"You should look for this anomaly — multiple processes in 3 generations of the process “3snake” executing on a single endpoint.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_78":{"id":"7697f2ce4bbd_78","__typename":"Paragraph","name":"9338","text":"Image 11: Verint’s TPS builds a tree for each executed process. In the above image, we notice that “3snake” spawns itself multiple times.","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*SDKkLzsh8ofgYCuFDj1gBQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_79":{"id":"7697f2ce4bbd_79","__typename":"Paragraph","name":"0614","text":"Stage 3: Filter out “normal” activities","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_80":{"id":"7697f2ce4bbd_80","__typename":"Paragraph","name":"9278","text":"In this stage, we’ll learn the normal activity of the network. This will help you to reduce the number of results. Be careful with your assumptions, so that you don’t filter out too much data or overfit to a specific system. Do not forget to refactor the query. When you finish, check if there is a technique missing or more “known good” data to filter out.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_81":{"id":"7697f2ce4bbd_81","__typename":"Paragraph","name":"eb70","text":"In our credential-dumping hunt, we can do the following:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_82":{"id":"7697f2ce4bbd_82","__typename":"Paragraph","name":"1d9b","text":"Identify normal passwd activity, for example, look for all passwd references as a process or as a process command line:","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_83":{"id":"7697f2ce4bbd_83","__typename":"Paragraph","name":"65fa","text":"Image 12: TPS endpoint forensics agent collects process execution information from the Kernel. We can search for “passwd” file\u002Fsystem command reference on that data. Another way to get this full information will be — combining the output from “ps”, “who”, “uname”,”ptrace” , “strace” and “file” commands.","type":"IMG","href":null,"layout":"OUTSET_CENTER","metadata":{"__ref":"ImageMetadata:1*zylUKyd7zBiAuRaTy0qiYA.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_84":{"id":"7697f2ce4bbd_84","__typename":"Paragraph","name":"15a2","text":"2. Find indicators of benign activity, like full process tree : (systemd → anacron → dash → run-parts → dash → (cmp,chmod,cmp,cp)) , user: root","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_85":{"id":"7697f2ce4bbd_85","__typename":"Paragraph","name":"730c","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*7TuWnJ1p1eDE14FuDjmsbA.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_86":{"id":"7697f2ce4bbd_86","__typename":"Paragraph","name":"528b","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*wzce5lv2mH49H1lTmkDU0Q.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_87":{"id":"7697f2ce4bbd_87","__typename":"Paragraph","name":"bbfa","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*0svrv5wz6RHUZygyDW2L0w.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_88":{"id":"7697f2ce4bbd_88","__typename":"Paragraph","name":"10cb","text":"Image 13: We can search for “shadow” file\\ system command reference on that data in order to baseline benign activity.","type":"IMG","href":null,"layout":"OUTSET_CENTER","metadata":{"__ref":"ImageMetadata:1*-E0HdsxPZJokuyMpaHOUBQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_89":{"id":"7697f2ce4bbd_89","__typename":"Paragraph","name":"060f","text":"3. Check System processes normal activity for relevant commands (like compgen, getent, passwd, useradd, groupadd, usermod, chsh, chfn, users, id, groups, last, logname, w, who, whoami, members, groupmod, finger, su, gpasswd, chgrp)","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":70,"end":77,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":79,"end":85,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":87,"end":93,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":95,"end":102,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":104,"end":112,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":114,"end":121,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":123,"end":127,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":129,"end":133,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":135,"end":140,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":142,"end":144,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":146,"end":152,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":154,"end":158,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":160,"end":167,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":169,"end":170,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":172,"end":175,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":177,"end":183,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":185,"end":192,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":194,"end":202,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":204,"end":210,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":212,"end":214,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":216,"end":223,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":225,"end":230,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_90":{"id":"7697f2ce4bbd_90","__typename":"Paragraph","name":"e7ce","text":"4. Search whether \u002Fetc\u002Fshadow and \u002Fetc\u002Fpasswd were copied (which are used to unshadow with ‘John the Ripper’, an open source tool used for password cracking) by the same user or at the same time.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":17,"end":29,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":34,"end":45,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_91":{"id":"7697f2ce4bbd_91","__typename":"Paragraph","name":"e050","text":"5. Check system binary activity; Try to specify the suspicious activity by multiple parameters (command line, privileges, memory etc.) to avoid whitelisting a full binary that can be poisoned (i.e. replacing system binary with a malicious one).","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_92":{"id":"7697f2ce4bbd_92","__typename":"Paragraph","name":"1839","text":"For example: If you whitelist “ls” binary activity (by name and process tree only) to avoid result overload, you can miss malicious activity in case “ls” was replaced with a malicious file.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_93":{"id":"7697f2ce4bbd_93","__typename":"Paragraph","name":"f6f2","text":"Stage 4: query, refine and repeat","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_94":{"id":"7697f2ce4bbd_94","__typename":"Paragraph","name":"bfae","text":"Now that we understand how an attack looks like and how normal behavior looks like, we will combine both and use it for threat hunting.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_95":{"id":"7697f2ce4bbd_95","__typename":"Paragraph","name":"e2b9","text":"Hunting for memory dumps files","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_96":{"id":"7697f2ce4bbd_96","__typename":"Paragraph","name":"443a","text":"We’ll look for all dump files that were not created by the abrt process (abrt, atomic bug report tool, is Linux system daemon that reads process memory and may seem suspicious).","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":59,"end":63,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":73,"end":79,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_97":{"id":"7697f2ce4bbd_97","__typename":"Paragraph","name":"37df","text":"Query example:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_98":{"id":"7697f2ce4bbd_98","__typename":"Paragraph","name":"d0e3","text":"(Relying on the dump file name to contain the string “dump” in it is bad, but bear with me for the sake of this explanation).","type":"IFRAME","href":null,"layout":"INSET_CENTER","metadata":null,"hasDropCap":null,"iframe":{"__typename":"Iframe","mediaResource":{"__ref":"MediaResource:1c6b645e93cc247dcd0ee090ce43b537"}},"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_99":{"id":"7697f2ce4bbd_99","__typename":"Paragraph","name":"9d8f","text":"To hunt for processes that creates activity using user credentials, like:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_100":{"id":"7697f2ce4bbd_100","__typename":"Paragraph","name":"ab95","text":"Processes that perform activities on files that contain passwords and don’t run unser “run-parts” , “getnet” or “abrt-watch-log” system commands , which are part of the system normal activity.","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_101":{"id":"7697f2ce4bbd_101","__typename":"Paragraph","name":"6519","text":"Processes with commandline that includes important user control files like shadow, passwd, login.","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_102":{"id":"7697f2ce4bbd_102","__typename":"Paragraph","name":"5830","text":"Dont forget to filter the results of this subqueries from normal os behavior (like the “600 shadow.bak” — specific command)","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_103":{"id":"7697f2ce4bbd_103","__typename":"Paragraph","name":"67a0","text":"Look for dump file creation in the process commandline","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_104":{"id":"7697f2ce4bbd_104","__typename":"Paragraph","name":"06ec","text":"We’ll look for dumping tools activity, for example:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_105":{"id":"7697f2ce4bbd_105","__typename":"Paragraph","name":"c2d1","text":"","type":"IFRAME","href":null,"layout":"INSET_CENTER","metadata":null,"hasDropCap":null,"iframe":{"__typename":"Iframe","mediaResource":{"__ref":"MediaResource:cf9bac5898e36e20a7e3b498078f80b1"}},"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_106":{"id":"7697f2ce4bbd_106","__typename":"Paragraph","name":"5594","text":"To hunt for user credential related file, we’ll search all \u002Fetc\u002Fpasswd, \u002Fetc\u002Fshadow files activity that is not created by system user control command, for example:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":59,"end":70,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":72,"end":83,"type":"EM","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:7697f2ce4bbd_107":{"id":"7697f2ce4bbd_107","__typename":"Paragraph","name":"0748","text":"","type":"IFRAME","href":null,"layout":"INSET_CENTER","metadata":null,"hasDropCap":null,"iframe":{"__typename":"Iframe","mediaResource":{"__ref":"MediaResource:1f69fbccfbaf8c3a637e3da3d728eb60"}},"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_108":{"id":"7697f2ce4bbd_108","__typename":"Paragraph","name":"83c5","text":"Now, for each query output , analyze the data and try to better understand the system behavior. Refactor the query using your conclusions about the behavior. In addition, filter out the “known good” activity that is specific to your network (e.g. Remove SAP utilities activity)","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_109":{"id":"7697f2ce4bbd_109","__typename":"Paragraph","name":"49cc","text":"Beware — filtering out full commands will lower your ability to detect injections or binary poisoning.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_110":{"id":"7697f2ce4bbd_110","__typename":"Paragraph","name":"6575","text":"Summary & Conclusions","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_111":{"id":"7697f2ce4bbd_111","__typename":"Paragraph","name":"6970","text":"We described a threat hunting process which includes four stages:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_112":{"id":"7697f2ce4bbd_112","__typename":"Paragraph","name":"deec","text":"Understanding the attack techniques you’d like to find","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_113":{"id":"7697f2ce4bbd_113","__typename":"Paragraph","name":"043b","text":"Conducting research on how attackers implement these technique","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_114":{"id":"7697f2ce4bbd_114","__typename":"Paragraph","name":"50f4","text":"Searching the suspicious data in the organization to find anomalies which require further analysis","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_115":{"id":"7697f2ce4bbd_115","__typename":"Paragraph","name":"ac28","text":"Filtering out normal activities which look anomalous","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_116":{"id":"7697f2ce4bbd_116","__typename":"Paragraph","name":"f431","text":"Repeating the above process while refining the queries until no anomalies are left or an attack was identified","type":"ULI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_117":{"id":"7697f2ce4bbd_117","__typename":"Paragraph","name":"e20a","text":"To exemplify the implementation of this process, we used information from MITRE ATT&CK Matrix as well as academic papers which surveyed past attacks against Linux based systems to prioritize a hunting hypothesis. I focused on the “credential dumping” technique since it is common, easy to understand and does not require a lot of research to threat hunt most of its implementations.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_118":{"id":"7697f2ce4bbd_118","__typename":"Paragraph","name":"542b","text":"The information provided throughout this blog includes queries against malicious data and examples of known good behavior which we can carefully whitelist. Each environment has its own unique anomalies. You need to carefully analyze all the anomalies you find and remove those which do not describe real threats to your network. It is a tedious and iterative process, but at the end you’ll be able to come to a conclusion about your hunt hypothesis.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_119":{"id":"7697f2ce4bbd_119","__typename":"Paragraph","name":"ee64","text":"I hope that this post helped you become even more excited about dealing with Linux threat hunting. I think that if you take each tactic systematically, you will find it interesting. Look at this experience as a new opportunity to see the beauty of Linux Internals.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_120":{"id":"7697f2ce4bbd_120","__typename":"Paragraph","name":"5561","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*VvjnekYka7oxwzaQkgSOUA.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_121":{"id":"7697f2ce4bbd_121","__typename":"Paragraph","name":"c72d","text":"—","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:7697f2ce4bbd_122":{"id":"7697f2ce4bbd_122","__typename":"Paragraph","name":"c56c","text":"Thanks to Oren Biderman and Michael Gendelman for reviewing this post and providing useful suggestions.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":10,"end":23,"type":"A","href":"https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Foren-biderman-1b734176\u002F","anchorType":"LINK","userId":null,"linkMetadata":null},{"__typename":"Markup","start":28,"end":45,"type":"A","href":"http:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fmicgen","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"ImageMetadata:1*fVw-yGXYUKguz7faC5WGzQ.png":{"id":"1*fVw-yGXYUKguz7faC5WGzQ.png","__typename":"ImageMetadata","originalHeight":70,"originalWidth":397,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*Rd8X0baeT2kCO1B9Wi-zlw.png":{"id":"1*Rd8X0baeT2kCO1B9Wi-zlw.png","__typename":"ImageMetadata","originalHeight":39,"originalWidth":447,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*ZbhH-e6EYegl1wV6ARia0w.png":{"id":"1*ZbhH-e6EYegl1wV6ARia0w.png","__typename":"ImageMetadata","originalHeight":25,"originalWidth":200,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*FNjmoV20wJHQeSjS_EasHQ.png":{"id":"1*FNjmoV20wJHQeSjS_EasHQ.png","__typename":"ImageMetadata","originalHeight":80,"originalWidth":607,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*io5nl4TH24wQgMsR_YBY5g.png":{"id":"1*io5nl4TH24wQgMsR_YBY5g.png","__typename":"ImageMetadata","originalHeight":336,"originalWidth":473,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*4HP4BVieSOeSgFhrsTuT3g.png":{"id":"1*4HP4BVieSOeSgFhrsTuT3g.png","__typename":"ImageMetadata","originalHeight":155,"originalWidth":353,"focusPercentX":null,"focusPercentY":null,"alt":"mimipinguin process tree"},"ImageMetadata:1*9mlhAq86oaeTAqYLqeUPqw.png":{"id":"1*9mlhAq86oaeTAqYLqeUPqw.png","__typename":"ImageMetadata","originalHeight":148,"originalWidth":348,"focusPercentX":null,"focusPercentY":null,"alt":"mimipinguin process tree"},"ImageMetadata:1*iJjryOjP3EuL_1FKpSnsxg.png":{"id":"1*iJjryOjP3EuL_1FKpSnsxg.png","__typename":"ImageMetadata","originalHeight":62,"originalWidth":1700,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*iEY9-VzilxpJMk9EeC3kKw.png":{"id":"1*iEY9-VzilxpJMk9EeC3kKw.png","__typename":"ImageMetadata","originalHeight":83,"originalWidth":1215,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*OWIYj0WIuOCcqgIgh9LHJQ.png":{"id":"1*OWIYj0WIuOCcqgIgh9LHJQ.png","__typename":"ImageMetadata","originalHeight":147,"originalWidth":428,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*r0jWBntXe01IJuvtPHqGgA.png":{"id":"1*r0jWBntXe01IJuvtPHqGgA.png","__typename":"ImageMetadata","originalHeight":189,"originalWidth":426,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*SDKkLzsh8ofgYCuFDj1gBQ.png":{"id":"1*SDKkLzsh8ofgYCuFDj1gBQ.png","__typename":"ImageMetadata","originalHeight":305,"originalWidth":432,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*zylUKyd7zBiAuRaTy0qiYA.png":{"id":"1*zylUKyd7zBiAuRaTy0qiYA.png","__typename":"ImageMetadata","originalHeight":279,"originalWidth":1184,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*7TuWnJ1p1eDE14FuDjmsbA.png":{"id":"1*7TuWnJ1p1eDE14FuDjmsbA.png","__typename":"ImageMetadata","originalHeight":190,"originalWidth":427,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*wzce5lv2mH49H1lTmkDU0Q.png":{"id":"1*wzce5lv2mH49H1lTmkDU0Q.png","__typename":"ImageMetadata","originalHeight":188,"originalWidth":426,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*0svrv5wz6RHUZygyDW2L0w.png":{"id":"1*0svrv5wz6RHUZygyDW2L0w.png","__typename":"ImageMetadata","originalHeight":302,"originalWidth":426,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*-E0HdsxPZJokuyMpaHOUBQ.png":{"id":"1*-E0HdsxPZJokuyMpaHOUBQ.png","__typename":"ImageMetadata","originalHeight":287,"originalWidth":1279,"focusPercentX":null,"focusPercentY":null,"alt":null},"MediaResource:1c6b645e93cc247dcd0ee090ce43b537":{"id":"1c6b645e93cc247dcd0ee090ce43b537","__typename":"MediaResource","iframeSrc":"","iframeHeight":0,"iframeWidth":0,"title":"remove_known_False_posative_abrt"},"MediaResource:cf9bac5898e36e20a7e3b498078f80b1":{"id":"cf9bac5898e36e20a7e3b498078f80b1","__typename":"MediaResource","iframeSrc":"","iframeHeight":0,"iframeWidth":0,"title":"tps_dumping_tools_threat_hunting"},"MediaResource:1f69fbccfbaf8c3a637e3da3d728eb60":{"id":"1f69fbccfbaf8c3a637e3da3d728eb60","__typename":"MediaResource","iframeSrc":"","iframeHeight":0,"iframeWidth":0,"title":"tps_shadow_passwd_less_FP"},"ImageMetadata:1*VvjnekYka7oxwzaQkgSOUA.png":{"id":"1*VvjnekYka7oxwzaQkgSOUA.png","__typename":"ImageMetadata","originalHeight":326,"originalWidth":542,"focusPercentX":null,"focusPercentY":null,"alt":null},"Tag:threat-hunting":{"id":"threat-hunting","__typename":"Tag","displayTitle":"Threat Hunting","normalizedTagSlug":"threat-hunting"},"Tag:forensics":{"id":"forensics","__typename":"Tag","displayTitle":"Forensics","normalizedTagSlug":"forensics"},"Tag:mitre":{"id":"mitre","__typename":"Tag","displayTitle":"Mitre","normalizedTagSlug":"mitre"},"Tag:cybersecurity":{"id":"cybersecurity","__typename":"Tag","displayTitle":"Cybersecurity","normalizedTagSlug":"cybersecurity"},"Tag:linux-forensics":{"id":"linux-forensics","__typename":"Tag","displayTitle":"Linux Forensics","normalizedTagSlug":"linux-forensics"},"UserViewerEdge:userId:710273611dbd-viewerId:lo_6ca4a925ba62":{"id":"userId:710273611dbd-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:710273611dbd":{"id":"710273611dbd","__typename":"User","name":"Evrinews","username":"chichuwxyz1234","bio":"Any user on the server with a role with blocking permissions can block the user from that individual server.A user with permission to block another way .","imageId":"1*ya5S0xtrgT1Zc_eBxZADqQ.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:710273611dbd-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:29c0ad126938":{"id":"29c0ad126938","__typename":"Post","title":"Evrinews","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@chichuwxyz1234\u002Fevrinews-29c0ad126938","previewImage":{"__ref":"ImageMetadata:"},"isPublished":true,"firstPublishedAt":1627292924361,"readingTime":2.513207547169811,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:710273611dbd"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:0*N8VAw7clbiMNaxpf":{"id":"0*N8VAw7clbiMNaxpf","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:7de5ef7d4c8a-viewerId:lo_6ca4a925ba62":{"id":"userId:7de5ef7d4c8a-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:7de5ef7d4c8a":{"id":"7de5ef7d4c8a","__typename":"User","name":"caesar","username":"ahoner","bio":"Cybersecurity Enthusiast","imageId":"1*yc75VcrZ5iBeMFil_m6WCw.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:7de5ef7d4c8a-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"ahoner.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:9e2629a6b5b9":{"id":"9e2629a6b5b9","__typename":"Post","title":"What is Buffer Overflow? — TryHackMe: Buffer Overflow Prep Walkthrough","mediumUrl":"https:\u002F\u002Fahoner.medium.com\u002Fwhat-is-buffer-overflow-tryhackme-buffer-overflow-prep-walkthrough-9e2629a6b5b9","previewImage":{"__ref":"ImageMetadata:0*N8VAw7clbiMNaxpf"},"isPublished":true,"firstPublishedAt":1626182701318,"readingTime":11.439622641509434,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:7de5ef7d4c8a"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*S4ddYOG3-BJGFthYm_SzHA.png":{"id":"1*S4ddYOG3-BJGFthYm_SzHA.png","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:eceac4554e90-viewerId:lo_6ca4a925ba62":{"id":"userId:eceac4554e90-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:eceac4554e90":{"id":"eceac4554e90","__typename":"User","name":"Singapore Academy of Law","username":"singaporeacademyoflaw","bio":"The views and opinions expressed in these articles are those of the individual author\u002Finterviewee and do not represent the views of SAL Group or other parties.","imageId":"1*YDbAsYmo9TvAZ53GMaVouA.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:eceac4554e90-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:23aed1dce56d":{"id":"23aed1dce56d","__typename":"Post","title":"A PATH FOR POFMA: HOW THE LAW MIGHT EVOLVE THIS DECADE","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@singaporeacademyoflaw\u002Fa-path-for-pofma-how-the-law-might-evolve-this-decade-23aed1dce56d","previewImage":{"__ref":"ImageMetadata:1*S4ddYOG3-BJGFthYm_SzHA.png"},"isPublished":true,"firstPublishedAt":1594727595819,"readingTime":0.7547169811320755,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:eceac4554e90"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:0*RXLsAAV9Bkw428EV":{"id":"0*RXLsAAV9Bkw428EV","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:b4f688dba339-viewerId:lo_6ca4a925ba62":{"id":"userId:b4f688dba339-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:b4f688dba339":{"id":"b4f688dba339","__typename":"User","name":"Duke Forge","username":"dukeforge","bio":"The Forge is Duke University’s center for actionable health data science.","imageId":"1*J1ZGIrnLQf277KOS-cNiyA.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:b4f688dba339-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"dukeforge.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:66df6f42c3c6":{"id":"66df6f42c3c6","__typename":"Post","title":"The Battle of the Digital Bulge","mediumUrl":"https:\u002F\u002Fdukeforge.medium.com\u002Fthe-battle-of-the-digital-bulge-66df6f42c3c6","previewImage":{"__ref":"ImageMetadata:0*RXLsAAV9Bkw428EV"},"isPublished":true,"firstPublishedAt":1589200109304,"readingTime":8.38427672955975,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:b4f688dba339"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:0*aM2nA3hXYg64ueQD.jpg":{"id":"0*aM2nA3hXYg64ueQD.jpg","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:c0ec6a3c0950-viewerId:lo_6ca4a925ba62":{"id":"userId:c0ec6a3c0950-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:c0ec6a3c0950":{"id":"c0ec6a3c0950","__typename":"User","name":"Tharmakulasingham Inthirakumaaran","username":"inthiraj1994","bio":"Software Engineer, CSE Undergraduate and amateur writer.","imageId":"1*4Prd7GPdLOZnpjtdl09MVQ.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:c0ec6a3c0950-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"inthiraj1994.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:6d2035075ab":{"id":"6d2035075ab","__typename":"Post","title":"Token Binding in Simple Terms","mediumUrl":"https:\u002F\u002Finthiraj1994.medium.com\u002Ftoken-binding-in-simple-terms-6d2035075ab","previewImage":{"__ref":"ImageMetadata:0*aM2nA3hXYg64ueQD.jpg"},"isPublished":true,"firstPublishedAt":1506419737611,"readingTime":9.53679245283019,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:c0ec6a3c0950"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*mzylWwNggwIS-ji697HWLw.jpeg":{"id":"1*mzylWwNggwIS-ji697HWLw.jpeg","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:1db87cbc269a-viewerId:lo_6ca4a925ba62":{"id":"userId:1db87cbc269a-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:9e63c3c2d2fc":{"id":"9e63c3c2d2fc","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"1db87cbc269a","name":"1db87cbc269a","collection":null,"user":{"__ref":"User:1db87cbc269a"}},"User:1db87cbc269a":{"id":"1db87cbc269a","__typename":"User","name":"AXEL","username":"AxelUnlimited","newsletterV3":{"__ref":"NewsletterV3:9e63c3c2d2fc"},"bio":"We're AXEL, asking the hard questions on who's doing what with YOUR data. www.axel.org","imageId":"1*FEmIsQuS7E2ciPGYl5fujw.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:1db87cbc269a-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:845000f146a8":{"id":"845000f146a8","__typename":"Post","title":"The Phish In The Room: Human Emotions And Cybersecurity","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@AxelUnlimited\u002Fthe-phish-in-the-room-human-emotions-and-cybersecurity-845000f146a8","previewImage":{"__ref":"ImageMetadata:1*mzylWwNggwIS-ji697HWLw.jpeg"},"isPublished":true,"firstPublishedAt":1522256559514,"readingTime":5.293396226415094,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:1db87cbc269a"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:0*VIsFYLyAbkG9BS4X":{"id":"0*VIsFYLyAbkG9BS4X","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:33130389e359-viewerId:lo_6ca4a925ba62":{"id":"userId:33130389e359-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:a188b3d19712":{"id":"a188b3d19712","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"33130389e359","name":"33130389e359","collection":null,"user":{"__ref":"User:33130389e359"}},"User:33130389e359":{"id":"33130389e359","__typename":"User","name":"fernand0","username":"fernand0","newsletterV3":{"__ref":"NewsletterV3:a188b3d19712"},"bio":"Tuiteo de memoria. Puede que las cosas no sucedieran realmente así...","imageId":"0*0Zd-D1YrBPF3-LDB.jpg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:33130389e359-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:e7136bfe4f7a":{"id":"e7136bfe4f7a","__typename":"Post","title":"Daily links of Fernand0 — Enlaces diarios de Fernand0 — Issue #305","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@fernand0\u002Fdaily-links-of-fernand0-enlaces-diarios-de-fernand0-issue-305-e7136bfe4f7a","previewImage":{"__ref":"ImageMetadata:0*VIsFYLyAbkG9BS4X"},"isPublished":true,"firstPublishedAt":1639204218066,"readingTime":2.8452830188679243,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:33130389e359"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"UserViewerEdge:userId:f46e7605fda3-viewerId:lo_6ca4a925ba62":{"id":"userId:f46e7605fda3-viewerId:lo_6ca4a925ba62","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:f46e7605fda3":{"id":"f46e7605fda3","__typename":"User","name":"Prue Jamille","username":"ferruginating1980","bio":"","imageId":"1*dmbNkD5D-u45r44go_cf0g.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:f46e7605fda3-viewerId:lo_6ca4a925ba62"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"ferruginating1980.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:8dacede5bbcd":{"id":"8dacede5bbcd","__typename":"Post","title":"{UPDATE} My Original Stories Hack Free Resources Generator","mediumUrl":"https:\u002F\u002Fferruginating1980.medium.com\u002Fupdate-my-original-stories-hack-free-resources-generator-8dacede5bbcd","previewImage":{"__ref":"ImageMetadata:"},"isPublished":true,"firstPublishedAt":1612293603903,"readingTime":0.7433962264150943,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:f46e7605fda3"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"PostViewerEdge:postId:69484f58ac92-viewerId:lo_6ca4a925ba62":{"id":"postId:69484f58ac92-viewerId:lo_6ca4a925ba62","__typename":"PostViewerEdge","catalogsConnection":null}}</script><script>window.__MIDDLEWARE_STATE__={"session":{"xsrf":""},"cache":{"cacheStatus":"HIT","shouldUseCache":true}}</script><script src="https://cdn-client.medium.com/lite/static/js/manifest.61e6c8e0.js"></script><script src="https://cdn-client.medium.com/lite/static/js/35565.71cd3bc0.js"></script><script src="https://cdn-client.medium.com/lite/static/js/main.e76d6dd7.js"></script><script src="https://cdn-client.medium.com/lite/static/js/45573.4354ed57.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/instrumentation.b36a3c7f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/reporting.7ffdf826.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/1752.a348f767.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7794.9590314e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/8353.3bb2d559.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/80685.29e1bf85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11615.2fadd0d8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11034.d66e747e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/90192.d7950368.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/79088.e4863540.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/19692.5d6b1ad8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/81645.b955b7c8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95064.25d50b88.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/63303.b45636f0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/88172.f30eccc2.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5850.b6744db4.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/70832.444ac173.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7632.7d93c1e0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/72776.c48f900b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/50327.c2422d85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5055.78455feb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/12249.8b9953b3.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/61781.e9beefe1.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/56590.76c8b773.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/26022.be74e11b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/39592.714f1ecb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/25537.90af5bce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/33673.952ffdce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95972.996c4300.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/92397.168bdb90.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/62182.016e5c0a.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/68519.8dfbac07.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/45002.d12ac37f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/31142.7e55d860.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/989.c98c8a6f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/Post.76a6c83b.chunk.js"></script><script>window.main();</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"6c25c22e7ffd75d5","token":"0b5f665943484354a59c39c6833f7078","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body></html>